I am new to the google cloud platform deployment manager and i am trying to deploy an instance that has the service account attached along with the necessary api's that i needed. my code to attach the service account along with the api's within the instance template is as follows:
- email: <[email protected]>
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
After executing the code to deploy my instance i run into the following error message:
- code: RESOURCE_ERROR
location: /deployments/gcpnetwork/resources/instance name
message: "{\"ResourceType\":\"compute.v1.instance\",\"ResourceErrorCode\":\"SERVICE_ACCOUNT_ACCESS_DENIED\"\
,\"ResourceErrorMessage\":\"The user does not have access to service account '<[email protected]>'.\
\ User: '[email protected]'. Ask a project owner\
\ to grant you the iam.serviceAccountUser role on the service account\"}"
I have assigned the appropriate permissions for both service-account and service account user under the I AM-IAM & Admin console with no luck of winning. I am also the project owner and have full access to all GCP resources. Is there anything that i am missing or doing wrong? I also tried to impersonate the service account but still not working, please help clarify this.
cloud-platform
for the instance. Legacy roles such asOwner
and permissions such as Compute EngineScopes
are the old way before IAM was developed. You are incorrectly mixing them together.