Ensuring GCE instances have full access to GCP APIs

The default settings for GCE instances are fairly locked down from accessing Google APIs, but it’s not obvious that’s happening!

Check out the instance creation settings:

You might think that “allow default access” means “use normal permissions as …


This content originally appeared on DEV Community and was authored by David Haley

The default settings for GCE instances are fairly locked down from accessing Google APIs, but it's not obvious that's happening!

Check out the instance creation settings:

Screenshot of the Identity and API access settings

You might think that "allow default access" means "use normal permissions as already configured". But … no 😅 Hover over the "?" icon and see:

Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control.

In other words, creating a GCE instance with default settings means you can't write to storage even if the default service account has write permissions.

You have two options:

  • Go with full access according to permissions: Allow full access to all Cloud APIs

  • Customize each service: Set access for each API

I went with the former, as I'm ok relying on the service account permissions. It's nice to know a more secure environment could lock down the account to just what's needed for that particular case (vs everything the account can do).

🔐

After this change, I can create VMs that can read/write storage. Ahh 😌


This content originally appeared on DEV Community and was authored by David Haley


Print Share Comment Cite Upload Translate Updates
APA

David Haley | Sciencx (2024-07-20T02:58:50+00:00) Ensuring GCE instances have full access to GCP APIs. Retrieved from https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/

MLA
" » Ensuring GCE instances have full access to GCP APIs." David Haley | Sciencx - Saturday July 20, 2024, https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/
HARVARD
David Haley | Sciencx Saturday July 20, 2024 » Ensuring GCE instances have full access to GCP APIs., viewed ,<https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/>
VANCOUVER
David Haley | Sciencx - » Ensuring GCE instances have full access to GCP APIs. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/
CHICAGO
" » Ensuring GCE instances have full access to GCP APIs." David Haley | Sciencx - Accessed . https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/
IEEE
" » Ensuring GCE instances have full access to GCP APIs." David Haley | Sciencx [Online]. Available: https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/. [Accessed: ]
rf:citation
» Ensuring GCE instances have full access to GCP APIs | David Haley | Sciencx | https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.