Hi guys,
I am having problems setting up service_account scopes when creating a VM.
By default, VMs are using a default service account that has way too many permissions.
I created a new service account with restricted access but in order to assign a VM to it, I need to use “scopes” and I am having a hard time with it.
Compute Engine documentation says:
service_account {
# Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
email = google_service_account.default.email
scopes = ["cloud-platform"]
}
}
The service_account blocks say:
The service_account block supports:
email - (Optional) The service account e-mail address. If not given, the default Google Compute Engine service account is used.
scopes - (Required) A list of service scopes. Both OAuth2 URLs and gcloud short names are supported. To allow full access to all Cloud APIs, use the cloud-platform scope. See a complete list of scopes here.
The service accounts documentation explains that access scopes are the legacy method of specifying permissions for your instance. If you are following best practices and using IAM roles to grant permissions to service accounts, then you can define this field as an empty list.
Google complete scopes list shows:
At most one of these may be specified:
`--scopes` =[ `SCOPE` ,…]
On that same note, I am trying to run:
service_account{
email = "ACCOUNT@gserviceaccount.com"
scopes = ["compute-ro,logging-write,monitoring-write,storage-ro,trace"]
}
But it gives me the error:
Error: Error creating instance: googleapi: Error 400: One or more of the service account scopes are invalid: 'compute-ro,logging-write,monitoring-write,storage-ro,trace', serviceAccountScopeInvalid
You might suggest me to use “cloud-platform” but it gives full API access to the VM even so the service account doesn’t have.
I cannot figure out what to do. I don’t know if “cloud-platform” will use the permissions set by the service account but it shows “Full API access”.
I am lost.
Thank you