I've got a node.js application trying to create an Instance Group Manager. It's running on an instance with a service account attached to the instance with scopes compute-rw and cloud-platform. This service account has a role with the following permissions:
includedPermissions:
- compute.autoscalers.create
- compute.autoscalers.get
- compute.disks.create
- compute.images.get
- compute.images.useReadOnly
- compute.instanceGroupManagers.create
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.use
- compute.instanceTemplates.create
- compute.instanceTemplates.get
- compute.instanceTemplates.useReadOnly
- compute.instances.create
- compute.instances.setMetadata
- compute.instances.setTags
- compute.networks.get
- compute.subnetworks.get
- compute.subnetworks.use
Looking at the audit log for resource.type="gce_instance_group_manager" I can see in first log entry:
ProtoPayload.authorizationInfo:
- granted: true
permission: compute.instanceGroupManagers.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instanceGroupManagers/resource-name
service: compute
type: compute.instanceGroupManagers
- granted: true
permission: compute.instanceTemplates.useReadOnly
resourceAttributes:
name: projects/my-project/global/instanceTemplates/resource-name
service: compute
type: compute.instanceTemplates
- granted: true
permission: compute.instances.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
- granted: true
permission: compute.disks.create
resourceAttributes:
name: projects/my-project/zones/us-east1-b/disks/resource-name-0000
service: compute
type: compute.disks
- granted: true
permission: compute.images.useReadOnly
resourceAttributes:
name: projects/my-project/global/images/resource-name-image
service: compute
type: compute.images
- granted: true
permission: compute.subnetworks.use
resourceAttributes:
name: projects/my-project/regions/us-east1/subnetworks/resource-name-subnet
service: compute
type: compute.subnetworks
- granted: true
permission: compute.instances.setMetadata
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
- granted: true
permission: compute.instances.setTags
resourceAttributes:
name: projects/my-project/zones/us-east1-b/instances/resource-name-0000
service: compute
type: compute.instances
I get 200 OK back with status: "PENDING" in body.
Only when looking through the audit logs do I see a log entry with status.message: INVALID_PARAMETER with no explanation and then another log entry with:
jsonPayload.error:
- code: SERVICE_ACCOUNT_ACCESS_DENIED
detail_message: ''
location: ''
When attaching the Editor role to the service account I can create the Instance Group Manager so there seem to be some permissions missing. The logs show no permissions that were not granted so what could be missing?
Turns out that the instanceTemplate attached service accounts to the instances. Because of that iam.serviceAccountUser role is required on the service account used by the instance creating the instance group manager.
In my case the service accounts are not needed so I removed it from the instance template and the permissions above work.