GCP: gcloud to change VM instance service account and API scope


Categories: Hyperscaler, Scripting

GCP Compute VM Instances can be set to run as a service account with API scopes that allow specific operations to be performed.  If you need to change the service account or the scopes, you will need to power down the VM instance, make the changes, and then start the VM instance up again.

Here is an example of updating a GCP VM instance to run as a service account with API scopes.

# list instances available in project
gcloud compute instances list

# set variables targeting VM instance to change
myvm=my-instance1
myzone=us-east1-b
project_id=$(gcloud config get project)

# service account that instance will be run as 
new_sa="mysvcacct1@${project_id}.iam.gserviceaccount.com"
# scopes that instance will be granted (alias and full)
new_scopes="cloud-platform,monitoring,trace,https://www.googleapis.com/auth/logging.admin" 

# show current service account and scopes
gcloud compute instances describe $myvm --zone $myzone --format="csv[no-heading](name,zone.basename(),status,serviceAccounts.email,serviceAccounts.scopes)"

# stop vm instance
gcloud compute instances stop $myvm --zone $myzone --quiet

# set service account and scopes
gcloud compute instances set-service-account $myvm --zone $myzone --service-account $new_sa --scopes "$new_scopes"

# verify change
gcloud compute instances describe $myvm --zone $myzone --format="csv[no-heading](name,zone.basename(),status,serviceAccounts.email,serviceAccounts.scopes)"

# start vm instance back up
gcloud compute instances start $myvm --zone $myzone

The example scope values we set above should be sufficient for installing the Ops Agent monitoring/logging service, and described in the Ops Agent Authorization guide and installation guide.

 

REFERENCES

google, service accounts for VM instances

gcloud utility

gcloud, compute instances set-service-account

google, scripting gcloud

google, Ops Agent authorization guide

google, Ops Agent installation guide

Kannan Anandakrishnan, Perils of default Compute Engine account

NOTES

If you wanted to set the service account to the default Compute Engine account.  This is not recommended because this typically has a basic “editor” role which is too wide, and offers too much privilege.

new_sa=$(gcloud iam service-accounts list --filter="displayName:'Compute Engine default service account'" --format='value(email)')