I am new to the google cloud platform deployment manager and i am trying to deploy an instance that has the service account attached along with the necessary api's that i needed. my code to attach the service account along with the api's within the instance template is as follows:
- email: <service-account-email@developer.gserviceaccount.com>
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
After executing the code to deploy my instance i run into the following error message:
- code: RESOURCE_ERROR
location: /deployments/gcpnetwork/resources/instance name
message: "{\"ResourceType\":\"compute.v1.instance\",\"ResourceErrorCode\":\"SERVICE_ACCOUNT_ACCESS_DENIED\"\
,\"ResourceErrorMessage\":\"The user does not have access to service account '<service-account-email@developer.gserviceaccount.com>'.\
\ User: 'service-account-id-number@cloudservices.gserviceaccount.com'. Ask a project owner\
\ to grant you the iam.serviceAccountUser role on the service account\"}"
I have assigned the appropriate permissions for both service-account and service account user under the I AM-IAM & Admin console with no luck of winning. I am also the project owner and have full access to all GCP resources. Is there anything that i am missing or doing wrong? I also tried to impersonate the service account but still not working, please help clarify this.
I managed to find a way around the problem without going through the IAM user role as the error was suggesting. The error was caused by trying to attach the service account directly within the deployment manager's instance template. This causes the deployment manager to think you are trying to create a new service account when the instance is deployed which was not case, since I was trying to use the default service account within the existing project. So by attaching the service account email directly this way:
- email: <service-account-email@developer.gserviceaccount.com>
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
causes an error. the work around was using the value email: default along with the scope list to solve the issue:
- email: default
scopes:
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
This allows the deployment manager to choose the default service account within the existing project. Also note that having the scope - https://www.googleapis.com/auth/cloud-platform within the scope list gives you access to all instance api's. So by removing - https://www.googleapis.com/auth/cloud-platform from the scope list and using it this way:
- email: default
scopes:
- https://www.googleapis.com/auth/compute
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/trace.append
- https://www.googleapis.com/auth/devstorage.read_write
was what I needed since I did not want access to all the instance api's. But if you want access to all instance api's, you only need to specify the default value with the cloud-platform scope this way:
- email: default
scopes:
- https://www.googleapis.com/auth/cloud-platform
I hope this is clear enough and helps anyone who comes across the same issue.