I am not able to access compute engine API with gcloud?

1.2k Views Asked by AWS Learning At 30 November 2020 at 12:06

I have an instance running with access scope 'Set Access for each API', and explicitly allowing Compute Engine API with Read-Write access as showing in this below image.

API access list

So I logged inside the instance via SSH, and I tried to run this command:-

gcloud compute instances list

and I got an error:

- Required 'compute.zones.list' permission for 'projects/dotted-hxxl-xxx'

My user is having explicitly allowing access to compute Engine API but still I am getting the error. I shouldn't get this error right? What am I missing here?

Original Q&A

There are 2 best solutions below

guillaume blaquiere On 30 November 2020 at 15:26

when you are logged into an instance, the permissions that you get aren't these of your users but these of the compute engine provided by the metadata server.

Go to the compute engine detail and have a look to the Service Account section.
If there is a service account, check the permissions of it
If not, add a service account on your VM (you will need to stop it to perform this operation)

marian.vladoi On 30 November 2020 at 20:59

stop the compute engine instance

gcloud compute instances stop instance-1 --zone us-central1-c

get the service account of the instance

gcloud compute instances describe instance-1 --zone us-central1-c | grep email

assign the role roles/compute.instanceAdmin to the service account

gcloud projects add-iam-policy-binding your_project -- member="serviceAccount:SERVICE_ACCOUNT_ID@your_project.iam.gserviceaccount.com" --role="roles/compute.instanceAdmin"

start the instance

gcloud compute instances start instance-1 --zone us-central1-c

ssh to the instance

gcloud compute ssh instance-1 --zone us-central1-c

run the gcloud command

gcloud compute instances list

Also read about the difference between IAM roles and OAuth scopes

When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance.

Furthermore, an instance's access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth

I am not able to access compute engine API with gcloud?

There are 2 best solutions below

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-COMPUTE-ENGINE

Related Questions in GOOGLE-COMPUTE-API

Trending Questions

Popular # Hahtags

Popular Questions