Assigning scopes to a gcloud service account

1
votes

I am trying to add an extra Service Account to a GCE instance (Google Cloud VM), so that the tools running there can switch between the default Service Account assigned to VM by GCloud and another one, that belongs to a different project. It is clear from the documentation how I can assign scopes to the default account (available in VM settings when it's powered off). But I can not understand how I can set the scopes for the Service Account added manually:

gcloud auth activate-service-account --key-file=myaccount.json

Now the account appears in gcloud auth list, but it is unclear which scopes are assigned to it. Another way is to use gcloud auth application-default login which has --scopes parameter, but I understand it is not possible to use with service accounts.

Google Cloud documentation tells me to

create a service account with the appropriate scopes using the Google Cloud Platform Console

but I can't find any option to add Scopes to a Service Account, only Roles which is possible via IAM. Does anyone know how I can assign scopes to my custom Service Account?

3
google-cloud-platformgoogle-compute-enginegcloud
Are you trying to change the service account assigned to a Compute Engine instance when launched OR are you trying to use a custom service account in your software after the VM instance has launched? Scopes are assigned to the default service account assigned to Compute Engine instance. For custom service accounts, you use Roles.John Hanley

3 Answers

1
votes

You can use command like: 

gcloud compute instances set-service-account <instance name> --service-account <service account> --scopes <comma separated scopes here, alias or full URI>

Command documentation here specifies the aliases as well as the full URI’s available.

You can also use command like: 

gcloud alpha compute instances set-scopes <instance name> --scopes <comma separated scopes, alias or full URI>

Documentation here

Scopes can be applied to the default service account & VM instances. Other service accounts (not default) are treated like user accounts, & so they do not use scopes like the default service account does. Non-default service accounts use IAM permissions like a user account does, so you will not be able to edit scopes, only IAM roles like a user account. If you are to use scopes in combination with a user account, both the machine & user account will need access to the API object in order to access it. More on the combination of scopes & service accounts here.

0
votes

I think that you can add the scopes by going through the admin console. On the Security page, click Advanced settings. You might need to click Show more to see Advanced settings. In the Authentication section, click Manage API client access. In the Client Name field, enter your service account's Client ID. Note: For details on how to create the Client ID, see Create a service account.

In the One or More API scopes box, copy and paste the required scopes.

Click Authorize. Next to the client ID name you entered, make sure all of the scopes appear with a description. If they don't, in the One or More API Scopes box, enter the scope again correctly and click Authorize. When all of the scopes are entered correctly, go back to the Google Developers Console and click Save.

0
votes

If you have access to the service account credentials in your application, you can also provide additional scopes programmatically like so -

Set<String> scopes = Collections.singleton("https://www.googleapis.com/auth/cloud-platform");
GoogleCredentials googleCredentials = ((ServiceAccountCredentials) credentials).createScoped(scopes);

You can then fetch the access_token in the following way,

private AccessToken getAccessToken(GoogleCredentials googleCredentials) throws IOException {
    if(googleCredentials.getAccessToken() == null) {
        googleCredentials.refresh();
        return googleCredentials.getAccessToken();
    }
    return googleCredentials.getAccessToken();
}