Search code examples
google-cloud-platformscpgoogle-cloud-iam

(gcloud.beta.compute.scp) Could not add SSH key to instance metadata permissions

I'd like to get automated deployments going for a VM that I have running in Google Cloud and as part of that, I'm trying to use a service account to SCP my files up to a VM in GCP, but unfortunately, I can't seem to figure out what the correct permissions should be.

After scouring the documentation, I have a service account with these permissions:

  • compute.instances.get
  • compute.instances.setMetadata
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata

but when I run the below commands, I get the below output:

+ ./google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=./service-account.json
Activated service account credentials for: [scp-test@my-project.iam.gserviceaccount.com]
+ ./google-cloud-sdk/bin/gcloud beta compute scp hello.txt scp-test:c:/hello.txt --quiet --project=my-project --ssh-key-file=./.ssh/key --zone=us-east4-c
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Your identification has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.
Your public key has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.pub.
The key fingerprint is:
{OMMITED}
The key's randomart image is:
{OMMITED}
External IP address was not found; defaulting to using IAP tunneling.
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.scp) Could not add SSH key to instance metadata:
 - The user does not have access to service account '{OMMITED}-compute@developer.gserviceaccount.com'.  User: 'scp-test@my-project.iam.gserviceaccount.com'.  Ask a project owner to grant you the iam.serviceAccountUser role on the service account

granting my scp-test user the iam.serviceAccountUser role works, but this seems to be bad practice since it then makes my scp-test user able to impersonate the default account ('{OMMITED}-compute@developer.gserviceaccount.com'.), which then seems to give it full access to everything.

How do I grant it only the permissions that it needs for SCP?

Solution

  • In order to use SSH/SCP you need instance admin rights to Compute Engine.

    Service account means the service account IAM member that gcloud is configured to use: scp-test@my-project.iam.gserviceaccount.com

    You need to give the service account this role:

    roles/compute.instanceAdmin.v1

    Since your compute instance is also configured to use a service account, you also need this role for your service account:

    roles/iam.serviceAccountUser