Google Compute Engine permissions and roles don't grant necessary scopes

1
votes

I'm trying to deploy from a GCE instance using appcfg.py update . --authenticate_service_account. No matter how I configure permissions, I always seem to get

RuntimeError: Required scopes ['https://www.googleapis.com/auth/appengine.admin', 'https://www.googleapis.com/auth/
userinfo.email'] missing from ['https://www.googleapis.com/auth/cloud-platform']. This VM instance probably needs t
o be recreated with the missing scopes.

I've tried with

  1. Instance with "Compute Engine default service account" with "Allow full access to all Cloud APIs" ticked
  2. Instance with a custom service account with role "App Engine Deployer"
  3. Instance with a custom service account with role "App Engine Admin"

How can I create a GCE instance with the necessary scopes?

1
google-app-enginegoogle-compute-enginegoogle-cloud-platform
Okay, just found some documentation on the relationship between scopes and roles. Problem is, you can't specify scopes for an instance when it's assigned to a service account, and you can't specify scopes for a service account at all. This is at least the case in the GUI. I'm gonna see if gcloud makes more sense.brandones
The aforementioned documentationbrandones

1 Answers

1
votes

Scopes are deprecated in favor of Roles, but the transition is still incomplete. It seems impossible in the GUI to assign both scopes and roles for an instance, which is still necessary for some functionality.

The workaround is to use the gcloud command. It supports scopes but not roles.

I created my instance for managing deployments with

gcloud compute instances create deployer --zone us-east1-c --scopes bigquery,cloud-platform,datastore,logging-write,storage-full,taskqueue,useraccounts-ro,userinfo-email,monitoring-write,service-management,https://www.googleapis.com/auth/source.full_control,https://www.googleapis.com/auth/appengine.admin