stackoom
  简体   繁体   中英

What IAM permissions do I need to use to create a Service Account similar to Default Compute Engine Service Account?

 原文  2021-10-04 08:29:19       google-cloud-platform/ google-compute-engine/ service-accounts

Question

I've deleted the default service account and it has been longer than 30 days. I don't know if it applies to all marketplace solutions, but the one that I want to use can't be launched without the compute engine default service account.

What are the IAM permissions I need to set to create a service account that has the same permissions as the compute engine default service account to launch VM from marketplace?

I tried Compute Admin, compute.imageUser and Compute Instance Admin, but to no avail.

In addition to that, why does the marketplace solution require the default service account when it is recommended to disable/remove the default compute engine service account because of the editor role?

2 answers

solution1
 1  2021-10-04 10:00:40

What is the compute engine default service account?

By default, the account is automatically granted the project editor role on the project and is listed in the IAM section of Cloud Console. This service account is only deleted when the project is deleted. However, you can change the roles granted to this account, including revoking all access to your project.

Documentation

solution2
 0  2021-10-04 17:36:22

You can undelete a service account only if it is deleted fewer than 30 days ago.

Instead of that, we can create a new service account and grant an 'Editor' role to it, as a default compute engine service account has the same role by default. Refer to Compute Engine default service account for more information.

To set the service account as the compute engine default service account on the project, we can use the following command :

gcloud alpha compute project-info set-default-service-account

But since the command is in the 'alpha' launch stage , it is not available for everyone.

I could suggest the following options:

  1. Create a new project .
  2. Request an Alpha feature that allows setting a new service account as the compute engine default service account.

If you have questions regarding an Alpha release or participation in an Alpha program, please reach out to sales . In this case a sales team needs to approve it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals What are the IAM permissions required for an App engine service account to connect with a CloudSQL with Private IP? What service account permissions are required for firebase cloud messaging on app engine? Logging into google compute engine with a service account What service account permissions should I set for secure flexible app engine -> cloud function communication What IAM permissions do I need for a service key that can run “gcloud builds submit” and “gcloud run deploy”? GCP permissions: access scopes and custom IAM service account roles How do I use gcloud with a service account? Deploying App Engine Flex from Compute Engine with service account Google Cloud, Kubernetes and Cloud SQL proxy: default Compute Engine service account issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM