I have a GCP VM set to use a service account so in the VM instance details on the console:
Service account
When I run the command for installing the monitoring agent I saw this:
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:
- Required 'compute.instances.setMetadata' permission for 'projects/MYPROJECT/zones/us-central1-a/instances/MYVM'
I gave the service account the Compute Admin role on the instance (not the whole project) and re-ran. The results are then more confusing:
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:
- The user does not have access to service account > '[email protected]'. User: '[email protected]'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
Do I really grant the iam.serviceAccountUser role on the service account so it can use itself? Is there another way I can run the script as me rather than the service account since I am a project admin/owner?
That's correct, per the official documentation of the compute admin role:
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.