On GCP document:
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
So I would like to try this feature:
- Create a project
- Add
[email protected]to the project and grant Viewer role. - Open a new browser and login into GCP console with
testuser, and confirmed that the user can only view instances and cannot create instance. - Add a service account:
[email protected], and grantCompute Adminrole, so this service account can create instance. - Grant
[email protected]withservice account userrole to this service account.
So per above GCP document, I expect [email protected] can create instance, but the Create instance button remains disabled.
Then I grant [email protected] with service account user role in project level, still the Create instance button remains disabled.
So what is wrong?
Am I understanding wrong? grant
[email protected]withservice account userrole does not give testuser the ability to create instance?Am I doing something wrong?
How can I create instance by
service account user?
