This content originally appeared on DEV Community and was authored by David Haley
The default settings for GCE instances are fairly locked down from accessing Google APIs, but it's not obvious that's happening!
Check out the instance creation settings:
You might think that "allow default access" means "use normal permissions as already configured". But … no 😅 Hover over the "?" icon and see:
Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control.
In other words, creating a GCE instance with default settings means you can't write to storage even if the default service account has write permissions.
You have two options:
Go with full access according to permissions: Allow full access to all Cloud APIs
Customize each service: Set access for each API
I went with the former, as I'm ok relying on the service account permissions. It's nice to know a more secure environment could lock down the account to just what's needed for that particular case (vs everything the account can do).
🔐
After this change, I can create VMs that can read/write storage. Ahh 😌
This content originally appeared on DEV Community and was authored by David Haley
David Haley | Sciencx (2024-07-20T02:58:50+00:00) Ensuring GCE instances have full access to GCP APIs. Retrieved from https://www.scien.cx/2024/07/20/ensuring-gce-instances-have-full-access-to-gcp-apis/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.