How do you modify the existing access scope of a Google Cloud Platform service account?
Solution 1:
I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.
i.e.
https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization
If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.
i.e.
gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"
If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.
Solution 2:
- In the Google Console, navigate to the "IAM & Admin" section
- On the left nav, click "IAM"
- Find your service account listed on the right.
- Click the dropdown in the "Role(s)" column, to select a role for the service account.
This page describes the IAM roles
Solution 3:
I was having trouble accessing the Storage API, so I realized the problem was with the scopes. After doing some research, I found where to change it.
You must edit the "scope" for the current "Service Account", it has been set on VM creation and the default is pretty restrictive:
- Go to Compute Engine / VM Instances
- Locate the your VM and select it (check box)
- Make sure it's Stopped (click on Stop otherwise)
- Click on it's name
- Click on "Edit"
- Scroll down until you find "Service Account"
- It should say "Default Scope", change to "Allow full access to all Cloud APIs"
That's it!