The default settings for GCE instances are fairly locked down from accessing Google APIs, but it's not obvious that's happening!
Check out the instance creation settings:
You might think that "allow default access" means "use normal permissions as already configured". But … no 😅 Hover over the "?" icon and see:
Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control.
In other words, creating a GCE instance with default settings means you can't write to storage even if the default service account has write permissions.
You have two options:
Go with full access according to permissions: Allow full access to all Cloud APIs
Customize each service: Set access for each API
I went with the former, as I'm ok relying on the service account permissions. It's nice to know a more secure environment could lock down the account to just what's needed for that particular case (vs everything the account can do).
🔐
After this change, I can create VMs that can read/write storage. Ahh 😌
Top comments (0)