Search code examples
authenticationgoogle-cloud-platformservice-accountsbucket

Authenticate towards GCP Bucket via running instance as service account

In my GCP project, I'm trying to upload a file to a bucket. The problem in the authorization.

I'm running a Node.js webserver within a managed Compute Instance.

Trying to follow the docs https://cloud.google.com/docs/authentication/client-libraries It leads me to https://cloud.google.com/docs/authentication/provide-credentials-adc and I think that "Google Cloud services that support attaching a service account" is what I want: Running the VM with a specified service account.

In order to do so, I pass - when building the template for the instance - the service account name as a parameter like

cloud beta compute instance-templates create-with-container --service-account my-service-account@my-project.iam.gserviceaccount.com

And that seems to work: When checking the properties of the instance in question it says on the instance in the section "API and identity management ": Service account my-service-account@my-project.iam.gserviceaccount.com

I thought that would be sufficient for ADC. But obviously, it's not. I get "Access denied" when trying to access the bucket.

Missing rights of my-service-account@my-project.iam.gserviceaccount.com regarding that very bucket cannot be the problem. I have created a temporary token for very service account. If I pass that token like

const storage = new Storage({
    projectId: 'my-project',
    credentials: {
            private_key: ....<<<MY TOKEN HERE>>>,
            client_email: 'my-service-account@my-project.iam.gserviceaccount.com`',
        },
    });

then everything works. (However, I don't want that solution and would prefer a solution with token.)

So, what am I missing to get Application Default Credentials (ADC) done?

Solution

  • Figured it out finally, the problem was missing scopes in the template creation. Adding a parameter like

    --scopes https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/trace.append,https://www.googleapis.com/auth/devstorage.read_write \

    to the cloud beta compute instance-templates create-with-container command solved the problem