DEV Community

David Haley
David Haley

Posted on

Ensuring GCE instances have full access to GCP APIs

The default settings for GCE instances are fairly locked down from accessing Google APIs, but it's not obvious that's happening!

Check out the instance creation settings:

Screenshot of the Identity and API access settings

You might think that "allow default access" means "use normal permissions as already configured". But … no 😅 Hover over the "?" icon and see:

Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control.

In other words, creating a GCE instance with default settings means you can't write to storage even if the default service account has write permissions.

You have two options:

  • Go with full access according to permissions: Allow full access to all Cloud APIs

  • Customize each service: Set access for each API

I went with the former, as I'm ok relying on the service account permissions. It's nice to know a more secure environment could lock down the account to just what's needed for that particular case (vs everything the account can do).

🔐

After this change, I can create VMs that can read/write storage. Ahh 😌

Top comments (0)