I cant understand why use of IAM is so hard to comprehend. For example I am trying to create a schedule for a VM instance. When I add instance to a schedule I got:

Compute Engine System service account [email protected]
needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation

I located the account in IAM but I dont know which role these things belong. Which role should I add to achieve this.

If I try gcloud I get error:

gcloud projects add-iam-policy-binding general-123456 \
    --member=user:[email protected] --role=roles/compute.instances.start

ERROR: (gcloud.projects.add-iam-policy-binding) User [xxxxxx] does not have permission to access projects instance [general-123456:getIamPolicy] (or it may not exist): The caller does not have permission

I am the owner of the account and all the projects.

What should I do about it?

Generally speaking whats the procedure to deal with GCP permissions when they expressed like someth.the.other.etc or someThingsNotRight - how to identify right role name?


To figure out the role, which has compute.instances.start and compute.instances.stop, you can go to the list of the roles and filter by these permissions (type one in the filter box)[1]. This will produce around a dozen different roles which have the required permission, but these default roles are going to be either very broad in regard to the number of permissions (Owner, Editor, Compute Admin) or designed for other tasks, not related to what you are trying to do (Cloud Dataflow Service Agent, Kubernetes Engine Service Agent).

In your case you could just create a new role (name it something like Instance Scheduler) [2] and assign just these two permissions, then bind the role to your service account.

[1] https://cloud.google.com/iam/docs/creating-custom-roles#getting_the_role_metadata
[2] https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role