terraform GCE service account stanza
I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes =
}
The instance does provision with that service account but all of the Cloud API access scopes
show disabled
in the UI.
If I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}
the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.
Can I just assign the service account or do I need to specify the service account and the scopes that it has?
google-cloud-platform google-compute-engine terraform
add a comment |
I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes =
}
The instance does provision with that service account but all of the Cloud API access scopes
show disabled
in the UI.
If I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}
the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.
Can I just assign the service account or do I need to specify the service account and the scopes that it has?
google-cloud-platform google-compute-engine terraform
add a comment |
I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes =
}
The instance does provision with that service account but all of the Cloud API access scopes
show disabled
in the UI.
If I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}
the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.
Can I just assign the service account or do I need to specify the service account and the scopes that it has?
google-cloud-platform google-compute-engine terraform
I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes =
}
The instance does provision with that service account but all of the Cloud API access scopes
show disabled
in the UI.
If I do this:
service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}
the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.
Can I just assign the service account or do I need to specify the service account and the scopes that it has?
google-cloud-platform google-compute-engine terraform
google-cloud-platform google-compute-engine terraform
edited Nov 21 '18 at 17:21
Vít Kotačka
489520
489520
asked Nov 13 '18 at 23:30
lightweightlightweight
73343481
73343481
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.
You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.
Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.
So the service account you specify makes all applications default to performing API requests using that accounts credentials.
Also do keep in mind there are much more refined scopes than just 'cloud-platform'.
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291019%2fterraform-gce-service-account-stanza%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.
You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.
Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.
So the service account you specify makes all applications default to performing API requests using that accounts credentials.
Also do keep in mind there are much more refined scopes than just 'cloud-platform'.
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
add a comment |
GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.
You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.
Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.
So the service account you specify makes all applications default to performing API requests using that accounts credentials.
Also do keep in mind there are much more refined scopes than just 'cloud-platform'.
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
add a comment |
GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.
You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.
Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.
So the service account you specify makes all applications default to performing API requests using that accounts credentials.
Also do keep in mind there are much more refined scopes than just 'cloud-platform'.
GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.
You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.
Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.
So the service account you specify makes all applications default to performing API requests using that accounts credentials.
Also do keep in mind there are much more refined scopes than just 'cloud-platform'.
answered Nov 17 '18 at 0:08
FridayPushFridayPush
61717
61717
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
add a comment |
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console
– lightweight
Nov 17 '18 at 0:45
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.
– FridayPush
Nov 19 '18 at 18:08
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291019%2fterraform-gce-service-account-stanza%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown