terraform GCE service account stanza












2















I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:



service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes =
}


The instance does provision with that service account but all of the Cloud API access scopes show disabled in the UI.



If I do this:



service_account {
email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}


the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.



Can I just assign the service account or do I need to specify the service account and the scopes that it has?










share|improve this question





























    2















    I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:



    service_account {
    email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
    scopes =
    }


    The instance does provision with that service account but all of the Cloud API access scopes show disabled in the UI.



    If I do this:



    service_account {
    email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
    scopes = ["cloud-platform"]
    }


    the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.



    Can I just assign the service account or do I need to specify the service account and the scopes that it has?










    share|improve this question



























      2












      2








      2








      I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:



      service_account {
      email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
      scopes =
      }


      The instance does provision with that service account but all of the Cloud API access scopes show disabled in the UI.



      If I do this:



      service_account {
      email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
      scopes = ["cloud-platform"]
      }


      the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.



      Can I just assign the service account or do I need to specify the service account and the scopes that it has?










      share|improve this question
















      I'm creating an instance on GCP and am running into some issues using the service account stanza. When I do this:



      service_account {
      email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
      scopes =
      }


      The instance does provision with that service account but all of the Cloud API access scopes show disabled in the UI.



      If I do this:



      service_account {
      email = "terraformdeploy-dev@projectxxx.org.com.iam.gserviceaccount.com"
      scopes = ["cloud-platform"]
      }


      the instance provisions with full access to all the APIs, but the weird thing is that the above service account doesn't have access to all of those API. I'm confused on how to use the service account stanza here as the documentation isn't very clear.



      Can I just assign the service account or do I need to specify the service account and the scopes that it has?







      google-cloud-platform google-compute-engine terraform






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 '18 at 17:21









      Vít Kotačka

      489520




      489520










      asked Nov 13 '18 at 23:30









      lightweightlightweight

      73343481




      73343481
























          1 Answer
          1






          active

          oldest

          votes


















          0














          GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.



          You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.



          Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.



          So the service account you specify makes all applications default to performing API requests using that accounts credentials.



          Also do keep in mind there are much more refined scopes than just 'cloud-platform'.






          share|improve this answer
























          • Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

            – lightweight
            Nov 17 '18 at 0:45











          • Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

            – FridayPush
            Nov 19 '18 at 18:08











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291019%2fterraform-gce-service-account-stanza%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.



          You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.



          Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.



          So the service account you specify makes all applications default to performing API requests using that accounts credentials.



          Also do keep in mind there are much more refined scopes than just 'cloud-platform'.






          share|improve this answer
























          • Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

            – lightweight
            Nov 17 '18 at 0:45











          • Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

            – FridayPush
            Nov 19 '18 at 18:08
















          0














          GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.



          You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.



          Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.



          So the service account you specify makes all applications default to performing API requests using that accounts credentials.



          Also do keep in mind there are much more refined scopes than just 'cloud-platform'.






          share|improve this answer
























          • Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

            – lightweight
            Nov 17 '18 at 0:45











          • Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

            – FridayPush
            Nov 19 '18 at 18:08














          0












          0








          0







          GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.



          You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.



          Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.



          So the service account you specify makes all applications default to performing API requests using that accounts credentials.



          Also do keep in mind there are much more refined scopes than just 'cloud-platform'.






          share|improve this answer













          GCE offers two methods to limit the API access that an instance can provide, and you're getting caught up on the two. One is that a GCE instance has a scope which limits ANY API requests from that machine to those services. For example if your GCE instance does not allow GCS Write operations, regardless of the service account associated with the instance you can not perform GCS write operations.



          You could SSH in, authenticate with the Project Owner account, and try to write to GCS and it would fail. This is done to allow an extra layer of security, and is primarily useful if you know that 'Instances in this instance group will only ever need GCS Read, and StackDriver API access'.



          Now the service account that is associated with the instance is only used when a client library or gcloud command looks up the credentials in the 'application default' location. So if your application includes a service account json key, and reads from it, it doesn't matter the associated key.



          So the service account you specify makes all applications default to performing API requests using that accounts credentials.



          Also do keep in mind there are much more refined scopes than just 'cloud-platform'.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 17 '18 at 0:08









          FridayPushFridayPush

          61717




          61717













          • Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

            – lightweight
            Nov 17 '18 at 0:45











          • Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

            – FridayPush
            Nov 19 '18 at 18:08



















          • Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

            – lightweight
            Nov 17 '18 at 0:45











          • Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

            – FridayPush
            Nov 19 '18 at 18:08

















          Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

          – lightweight
          Nov 17 '18 at 0:45





          Yep...I'm able to do that quite well but the issue is...i can't seem to do right correctly with Terraform...if I just put in the SA in terraform...it doesn't seem to attach it to the GCE instance...but I can do this manually by creating an instance via the console

          – lightweight
          Nov 17 '18 at 0:45













          Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

          – FridayPush
          Nov 19 '18 at 18:08





          Creating an instance with a service account.email defined, and scopes left empty "", created an instance successfully and has all APIs disabled as expected with zero scopes. Creating an instance with the service account email, and related scopes has the desired APIs enabled. Your question, "Can I just assign the service account or do I need to specify the service account and the scopes that it has?" You must associate the scopes you intend for that instance to use. The instance will prevent all API calls to google services if you do not specify a scope regardless of the SA attached.

          – FridayPush
          Nov 19 '18 at 18:08


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53291019%2fterraform-gce-service-account-stanza%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Florida Star v. B. J. F.

          Danny Elfman

          Lugert, Oklahoma