GCP Compute VM Instances can be set to run as a service account with API scopes that allow specific operations to be performed. If you need to change the service account or the scopes, you will need to power down the VM instance, make the changes, and then start the VM instance up again.
Here is an example of updating a GCP VM instance to run as a service account with API scopes.
# list instances available in project gcloud compute instances list # set variables targeting VM instance to change myvm=my-instance1 myzone=us-east1-b project_id=$(gcloud config get project) # service account that instance will be run as new_sa="mysvcacct1@${project_id}.iam.gserviceaccount.com" # scopes that instance will be granted (alias and full) new_scopes="cloud-platform,monitoring,trace,https://www.googleapis.com/auth/logging.admin" # show current service account and scopes gcloud compute instances describe $myvm --zone $myzone --format="csv[no-heading](name,zone.basename(),status,serviceAccounts.email,serviceAccounts.scopes)" # stop vm instance gcloud compute instances stop $myvm --zone $myzone --quiet # set service account and scopes gcloud compute instances set-service-account $myvm --zone $myzone --service-account $new_sa --scopes "$new_scopes" # verify change gcloud compute instances describe $myvm --zone $myzone --format="csv[no-heading](name,zone.basename(),status,serviceAccounts.email,serviceAccounts.scopes)" # start vm instance back up gcloud compute instances start $myvm --zone $myzone
The example scope values we set above should be sufficient for installing the Ops Agent monitoring/logging service, and described in the Ops Agent Authorization guide and installation guide.
REFERENCES
google, service accounts for VM instances
gcloud, compute instances set-service-account
google, Ops Agent authorization guide
google, Ops Agent installation guide
Kannan Anandakrishnan, Perils of default Compute Engine account
NOTES
If you wanted to set the service account to the default Compute Engine account. This is not recommended because this typically has a basic “editor” role which is too wide, and offers too much privilege.
new_sa=$(gcloud iam service-accounts list --filter="displayName:'Compute Engine default service account'" --format='value(email)')