How do you modify the existing access scope of a Google Cloud Platform service account?

google-compute-engine google-cloud-platform

Solution 1:

I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.

i.e.

https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization

If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.

i.e.

gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"

If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.

Solution 2:

  1. In the Google Console, navigate to the "IAM & Admin" section
  2. On the left nav, click "IAM"
  3. Find your service account listed on the right.
  4. Click the dropdown in the "Role(s)" column, to select a role for the service account.

This page describes the IAM roles

Solution 3:

I was having trouble accessing the Storage API, so I realized the problem was with the scopes. After doing some research, I found where to change it.

You must edit the "scope" for the current "Service Account", it has been set on VM creation and the default is pretty restrictive:

  1. Go to Compute Engine / VM Instances
  2. Locate the your VM and select it (check box)
  3. Make sure it's Stopped (click on Stop otherwise)
  4. Click on it's name
  5. Click on "Edit"
  6. Scroll down until you find "Service Account"
  7. It should say "Default Scope", change to "Allow full access to all Cloud APIs"

That's it!

Related

Testing an SMTP server with SSL?
nginx : enabling gzip compression based on hostname
Linux change source ip adress of incoming traffic
Docker how to Django + uwsgi/gunicorn + nginx?
Apache up in flames (AH00025). How to fix?
How to edit hostname in https binding on IIS 7.5?
proxmox install on ubuntu
Supermicro Server fails to boot from NVMe SSD
How much space NAS snapshots consume?
Why ssh-copy-id requires private key file
DNS - forwarded for
What is the minimum number of SSD drive for a tiered + mirrored storage spaces volume?