Search code examples
google-cloud-platformservice-accountsgoogle-iam

GCE instance ignoring service account roles

I am currently trying to provision a GCE instance that will execute a Docker container in order to retrieve some information from the web and push them to BigQuery.

Now, the newly created service account (screenshot below) doesn't affect the api scopes whatsoever. This obviously makes the container fail when authenthicating to BQ. Funny thing is, when I use the GCE default service account and select auth scopes manually from the GUI everything works like a charm.

I am failing to understand why the following service account doesn't open api auth scopes to the machine. I might be overlooking something really simple on this one.

enter image description here

Context

The virtual machine is created and run with the following gcloud command:

#!/bin/sh
gcloud compute instances create-with-container gcp-scrape \
    --machine-type="e2-micro" \
    --boot-disk-size=10 \
    --container-image="gcr.io/my_project/gcp_scrape:latest" \
    --container-restart-policy="on-failure" \
    --zone="us-west1-a" \
    --service-account gcp-scrape@my_project.iam.gserviceaccount.com \
    --preemptible

This is how bigquery errors out when using my custom service account:

Access Denied: BigQuery BigQuery: Missing required OAuth scope. Need BigQuery or Cloud Platform read scope.
Solution

  • You haven't specified a --scopes flag, so the instance uses the default scope which doesn't include BigQuery.

    To let the instance access all services that the service account can access, add --scopes https://www.googleapis.com/auth/cloud-platform to your command line.