Unable to set service_account scopes

Hi guys,

I am having problems setting up service_account scopes when creating a VM.
By default, VMs are using a default service account that has way too many permissions.
I created a new service account with restricted access but in order to assign a VM to it, I need to use “scopes” and I am having a hard time with it.

Compute Engine documentation says:

service_account {
   # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
   email  = google_service_account.default.email
   scopes = ["cloud-platform"]
 }
}

The service_account blocks say:

The service_account block supports:

    email - (Optional) The service account e-mail address. If not given, the default Google Compute Engine service account is used.

    scopes - (Required) A list of service scopes. Both OAuth2 URLs and gcloud short names are supported. To allow full access to all Cloud APIs, use the cloud-platform scope. See a complete list of scopes here.

    The service accounts documentation explains that access scopes are the legacy method of specifying permissions for your instance. If you are following best practices and using IAM roles to grant permissions to service accounts, then you can define this field as an empty list.

Google complete scopes list shows:

At most one of these may be specified:

`--scopes` =[ `SCOPE` ,…]

On that same note, I am trying to run:

service_account{
    email                   = "ACCOUNT@gserviceaccount.com"
    scopes                  = ["compute-ro,logging-write,monitoring-write,storage-ro,trace"]
        } 

But it gives me the error:

 Error: Error creating instance: googleapi: Error 400: One or more of the service account scopes are invalid: 'compute-ro,logging-write,monitoring-write,storage-ro,trace', serviceAccountScopeInvalid

You might suggest me to use “cloud-platform” but it gives full API access to the VM even so the service account doesn’t have.
I cannot figure out what to do. I don’t know if “cloud-platform” will use the permissions set by the service account but it shows “Full API access”.

I am lost.

Thank you

Important note, If I set the scope to an empty list so I can specify the service account to be used, not service account is assigned to the VM.

I found the problem, I was supposed to set it like:

     scopes                  = ["compute-ro",
                             "logging-write",
                             "monitoring-write",
                             "storage-ro",
                             "trace"]

And I also realised that I skipped an important note:

If you are following best practices and using IAM roles to grant permissions to service accounts, then you can define this field as an empty list.

This is my case but setting scopes with an empty list does not assign a service account to the VM, forcing me to use the workaround from above.

Ideas??

Thank you

I have reproduced the behavior that whisley.santos observed:

setting scopes with an empty list does not assign a service account to the VM, forcing me to use the workaround from above.

Why is the service account not getting assigned (gcloud auth list yields an empty list when I ssh into the instance)?