[Nomad][Autoscaler] Least privilege for nomad autoscaler MIG

Hi, what is the least privilege for nomad-autoscaler in GCP MIG,
we want to supply it with the serviceaccount json, with least privilege,
didn’t find right documentation for it, checking in here but not mentioned.

or is there anything that I didn’t know for configuring the nomad-autoscaler for GCP MIG ?


Hi @petrukngantuk1 :wave:

That’s a good questions, and something we should document. Looking at the code, the GCP plugin only calsl get, list and deleteInstances from the Compute API, so I created a role with only these two permissions and it seems to have been enough:


Could give this a try and let us know if it works for you as well? If it does, we’ll update the docs with this new information.

Thank you.

Okay, thanks, will try and let you know

Hi, not sure why it’s not fully working, but we use this terraform our terraform code, as we deploy nomad-autoscaler outside GCP

module "service_accounts" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "~> 3.0"
  project_id    = var.gcp_project_id
  names         = [substr(local.service_account_name,0,30)]
  display_name  = local.service_account_name
  generate_keys = true
  project_roles = [
    format("%s=>roles/compute.instanceAdmin.v1", var.gcp_project_id),

How are you passing the service credentials to the Autoscaler?

we are using the service account json

Hum…then I’m not sure. I tested with only those two permissions in a service account and it worked.

Do you have any extra details as to which API was throwing the error?

Maybe try all permissions for compute.instanceGroupManagers and reduce one at a time?


Source: Compute Engine-IAM-Rollen und -Berechtigungen