GCP Compute VM Instances can be set to run as a service account with API scopes that allow specific operations to be performed. If you need to change the service account or the scopes, you will need to power down the VM instance, make the changes, and then start the VM instance up again. Here … GCP: gcloud to change VM instance service account and API scope
If you are scripting a set of gcloud commands, there is a good chance that it is within a Bash script. While some Bash loops can be driven by a single variable, sometimes you need access to multiple variables within the loop. In this article I will show you can drive a Bash loop requiring … GCP: gcloud csv format with no-heading for Bash parsing
When GCP operations fail due to permissions issues, checking the IAM roles assigned to a user, group, or service account becomes a necessity. When hierarchical projects and organizations are involved it becomes even more complex. This article will show you how to use gcloud at the project and organization level to pull IAM policies for … GCP: listing IAM roles for user, group, and service account in project and organization
The Compute Engine default service account is automatically generated for your project with the Editor role, and by default is attached to all VM instances created in the project. You can pull the exact id using gcloud. gcloud iam service-accounts list –filter=”displayName:’Compute Engine default service account'” –format=’value(email)’ The syntax will be ${project_id}-compute@developer.gserviceaccount.com. If you want … GCP: VM instances running as the Compute Engine default service account
Although the GCP console provides a manual interface for creating service accounts and assigning roles, it can also be done via the gcloud CLI. Using gcloud, even the json key file for the service account can be generated, which is essential for automation. The full Bash script, create_serviceaccount.sh can be found on github. But here … GCP: Creating gcp service account with IAM roles using gcloud
If you are working in a gcp project where the VPC networks are homed within the project itself, then specifying a subnet in gcloud calls is simple, just use the name of the subnet (e.g. ‘default’). However, if you are working in a gcp project where the VPC networks are shared (not owned) with the … GCP: retrieving the full subnet qualification from a shared VPC network
If you need to bootstrap a GCP project’s infrastructure, one of the first things you will want is a service account. The creation of the service account, creating its key, and then assigning binding roles can all be done from the GCP console but for scripting purposes can also be done using the gcloud utility. … GCP: Using gcloud to create and configure a service account
Although the GCP console provides a nice interface for displaying which user/service account is in which IAM security role (IAM & Admin > IAM), it can be difficult to analyze using gcloud get-iam-policy because of the inner array of ‘members’ returned. However, if you use the flattening ability of gcloud, it becomes much easier to … GCP: Analyzing members of IAM role using gcloud filtering and jq