default service account does not have access to cloud sql and has only read only access to storage.
I tried adding cloud sql admin and storage admin permission to defautl service account but that does not seems to work.
I know it can be solved by using another service account that have these permission and using that when creating compute instance.
I am just curious to know why updating permission of default compute does not work?
It seems that updating the permissions on the Compute Engine default service account is not enough to set the correct level of access you are trying to give to your Compute Engine instance, since, as described here:
When you set up an instance to run as a service account, the level of access the service account has is determined by the combination of access scopes granted to the instance and IAM roles granted to the service account.
From my understanding you are only granting IAM roles to the service account, so, in order to give the desired access level, you should also update the Access scopes for your Compute Engine instance.
When you create a new Compute Engine instance, under Access scopes, it is selected "Allow default access" by default as you can see here New instance. This default access has Cloud SQL access disabled and Cloud Storage access as read-only.
You can refer to this documentation which explains how to change the access scopes for a Compute Engine instance:
To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.
Once you stop your instance, you can change the Access scopes to either "Set access for each API" or to "Allow full access to all Cloud APIs".
If you choose to set access for each API, you will have to search for "Cloud SQL" and then select "Enabled" and also for "Storage" and select the desired option (Read Only, Write Only, Read Write, Full)
For more information on Access Scopes please refer to this doc and for more information on running Compute Engine instances as service account (including the default service account) please see this doc.
In the Cloud IAM Admin you have to select your Default Service Account by hitting on that pen to the right; then a side.bar will pop up, where you can assign the following roles: Cloud SQL Admin, Cloud SQL Client, Cloud SQL Editor, Cloud SQL Viewer. it's the default role is Editor.
Related
Although I've gave Owner role to that specific service, I can't use the permissions from my instances that I connect with SSH from my local.
Also can't upload my files to Storage bucket which I've created in cloud platform.
Here is the screenshots of the problem:
The problem might be caused by the access token not having the appropriate permission scopes to conduct the required activity. To make sure you're using the auth scope of this service account appropriately, I recommend doing the following:
Run the command in the Google documentation inside the VM to
create a new key for the service account. This will create a .json
file inside the current directory containing the private
authentication key for the service account.
Run the command in the Google documentation to activate the
service account.
Run the command: $gcloud auth list to check if this worked.
In the output you should see an asterisk before the service
account’s name, indicating that this is the service account you are
currently using.
Now refer to the Google documentation and run the $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Google Cloud Compute VMs have a setting for Access Scopes. This feature can limit the permissions that a service account has when attached to a virtual machine.
Go to the Google Cloud Console GUI, select your VM, stop the VM and then edit Acess Scopes to grant the permissions you require.
Access scopes
I'm trying to upload a file from a Google Cloud VM into a cloud storage bucket.
Expectedly it fails because the service account associated with the VM doesn't have permissions:
$ gsutil cp file.png gs://bucket/
Copying file://file.png [Content-Type=image/png]...
AccessDeniedException: 403 Insufficient Permission
From what I understand there are two ways to fix this:
modify the scopes from the VM web admin panel
change the permissions of the bucket and add the service account with write access (I'd prefer this because the other option seems to give access to all buckets in the same project)
However, it seems that both solutions require the VM to be stopped, which is problematic as it is a production server.
Is there any way to fix this without stopping the VM?
There are two methods of controlling permissions granted to a Compute Engine VM.
Access Scopes
Service Account assigned to the instance.
Both of these methods work together. The total permissions available to a Compute Engine instance is controlled by the service account. Access Scopes then limit the permissions assigned to the VM.
You must shutdown a VM to change the Access Scopes. Changing the service account roles does not require rebooting the VM.
For this question regarding Cloud Storage Access:
If the service account has a Cloud Storage role granting access to cloud storage but the Access Scope for Storage is set to None, then the VM will not have access to Cloud Storage even though the service account has the required role. In this case you must shutdown the VM to change the Access Scope to enable access to Cloud Storage.
If the VM Access Scope has Storage enabled, but the service account does not have a Cloud Storage role, the VM will not be able to access Cloud Storage. In this case, adding a Cloud Storage role to the service account will grant access to Cloud Storage without requiring a VM reboot.
Access Scopes (OAuth Scopes) are a legacy mechanism that existed prior to Google Cloud IAM. Given that you are using this VM in a production environment and shutting down the instance is not desired, I recommend the following:
Set the VM Access Scopes to "Allow full access to all Cloud APIs".
Create a new service account with the required roles and assign that service account to the Compute Engine VM instance.
I created a new VM in a google compute engine project. I changed the "Compute Engine" access scope to "Read Write" after creating the VM.
On the existing (long-running) VM, if I do:
gcloud iam service-accounts list
I see the default service account for the project.
However, if I do the same thing on the newly created VM, I get an error:
gcloud iam service-accounts list
ERROR: (gcloud.iam.service-accounts.list) User [<service-account>] does not have permission to access projects instance [<project>] (or it may not exist): Request had insufficient authentication scopes.
The original VM is a ubuntu-16, the new VM is ubuntu-18 freshly created from a google image.
If I look at the project IAM roles, my user has the following roles:
- Access Approval Config Editor
- Compute Admin
- Role Viewer
- Service Account Admin
- Owner
- Organization Administrator
What am I missing?
The access scopes for the two VMs are the same:
- Compute Engine Read Write
- Service Control Enabled
- Service Management Read Only
- Stackdriver Logging API Write Only
- Stackdriver Monitoring API Write Only
- Stackdriver Trace Write Only
- Storage Read Only
What controls access for the individual VMs other than the access scopes?
The problem was the SSH window was running under the service account, not my normal user account. I needed to run
gcloud init
to reconfigure to use my regular account.
I discovered this by doing
gcloud config list
on both machines.
PART 1
What controls access for the individual VMs other than the access
scopes?
The union of Compute Engine Scopes and service account permissions.
Google Compute Engine scopes limit permissions, scopes do not grant permissions.
The service account assigned to Compute Engine determines the permissions/roles that are available. Scopes can limit those permissions granted to the service account. Scopes cannot grant permissions that the service account does not already have.
Scopes are a legacy authorization mechanism.
PART 2
gcloud iam service-accounts list ERROR:
(gcloud.iam.service-accounts.list) User [] does not
have permission to access projects instance [] (or it may not
exist): Request had insufficient authentication scopes.
Part of this message is confusing to most people. Scopes are a legacy authentication mechanism that Google used before IAM. Scopes are similar to permissions and in this message mean OAuth 2 Permissions.
The command gcloud iam service-accounts list requires the permission iam.serviceAccounts.list which is present in roles such as roles/iam.serviceAccountUser named Service Account User. The service account mentioned in the error does not have one of the roles granting the permission to list service accounts or the Scopes are limiting a permission granted to the service account. Read my recommendation at the end.
Service Account Roles
Part 3
If I look at the project IAM roles, my user has the following roles:
The roles assigned to the user are not related to the roles assigned to the Compute Engine service account.
If you logged into Compute Engine using SSH and did not do anything else to authenticate then you are using Compute Engine Default Service Account credentials. Service Account and Scopes affect your permissions.
If you logged into Compute Engine using SSH and you use your own account for authentication (gcloud auth login or similar) then your user identity is using the the permissions granted to your user account and not the Compute Engine Default service account credentials.
Part 4
The original VM is a ubuntu-16, the new VM is ubuntu-18 freshly
created from a google image.
If the scopes are the same for both VMs, then your issue is the service account. Normally Compute Engine VMs use the Compute Engine Default Service Account. You can change which service account is assigned to each VM. Double check what is assigned to each VM.
Summary
I recommend that you set the scopes to Allow full access to all Cloud APIs and control the permissions via roles granted to the service account. Do not use roles such as Project Owner or Project Editor. Those roles are very powerful. Use fine grained permissions for each Google Cloud service that Compute Engine needs to access.
I have one person (a) who is in charge of administrating our Windows instances on Google Cloud and another person manages our Ubuntu instances. I want to allow the first person to have permission to start, stop, reset, change metadata / instance-size and login as admin on the Windows instances, but I don't want them to have access to perform those actions on any of the Ubuntu instances. All of the instances are part of the same project.
Is there any way to grant such permissions at an instance-level, without granting them for all instances in the project?
Google Compute Engine supports specifying the service account to use for the instance.
I recommend creating a new service account, assigning the Project Editor role and then assign that service account to instances that require this level of permission.
I do not recommend using Compute Engine Scopes to control permissions. Specify the desired roles for the service account, assign the service account to Compute Engine and specify "Allow full access to all Cloud APIs". The actual permissions will be controlled by the service account roles. Scopes are too granular in some cases.
I wrote an article that dives deeper into Compute Engine service accounts.
Google Cloud – Compute Engine Service Accounts
GCP allows one to provide fine grained permissions on Compute Engine instances. This appears to be well documented in the documentation found at:
Granting access to Compute Engine resources
At the highest level, we can assign permissions either through Cloud Console or through the gcloud command.
I was having trouble finding a way to do this because it is not available from the "IAM" section on Google Cloud. However, you can assign instance-specific roles and permissions form the Cloud Engine - VM Instances Page:
Go to the Computer Engine VM Instances page: https://console.cloud.google.com/compute/instances
Click the checkbox beside the instance(s) to which you want to assign instance-specific roles.
Click on "Show Info Panel".
On the "Info Panel" on the right side of the screen under "Permissions" click "Add Members".
Select the members / roles you want to assign and click "Save".
I have a project on Google Cloud where in I have a few vm instances created.
I need to give someone access to only one of the instances
For now I have given them access to all the instances by adding them through IAM as
Compute Engine Instance Admin
Adding her as a default compute engine service account actor
But how do I change this to give them access to only one of the instances please ?
Thanks
It is possible to manually add their public SSH key to the machine: the
documentation can be found here.
You will generate a public/private key pair, format it, upload the public one to the machine and the user will be able to connect to the machine using the private one.
Then remove the Compute Engine Instance Admin role to take away her access to the other instances.
If you leave her role as default compute engine service account actor, she may assume the same rights as the service account, which by default is project editor.
The best way to limit this is create a new service account with only the scopes you wish to grant (perhaps access to Storage or some other APIs), set it as the service account for the instance and add the user as its actor. You can read more here.
The best practice to grant SSH to a User on GCP is :
Edit the VM instance, in the metadata section add
enable-oslogin=TRUE
On the project level add the roles Service Account User and Compute viewer to the user
On the instance level, on the panel of permissions: add the role Compute OS Admin Login or Compute OS Login to the user