Is it a failure of GCP for the following events?
Every night, I use Cloud Scheduler to start Cloud Functions and start GCE VM instances.
However, from 7/1 (Japan time), when I started the VM instance, I got a “SERVICE_ACCOUNT_ACCESS_DENIED” error message and it stopped working. (7/1-7/4 still ongoing)
Since Cloud Functions accesses the VM instance using a service account with a Compute administrator IAM policy, we believe that there is no lack of authority.
This setting has been in operation for about 3 years, and it has been confirmed that the GCE instance starts normally without the above error when the Cloud Scheduler is forced to run.
Since no official announcement has been made about the failure, please let me know if anyone knows about it, including the specification change.
1 Like
Hello @TakaOno ,
Welcome to Google Cloud Community!
If you will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.
See Compute Engine IAM roles and permissions
2 Likes
@Willbin
Thank you for your reply about the solution!
Just to make sure, is it correct to grant the role you taught me only to the service account set on the VM instance?
When starting the VM instance, Cloud Functions is started, but is it necessary to grant the service account used in Cloud Functions?
The error message “SERVICE_ACCOUNT_ACCESS_DENIED” was displayed from July 1st to July 4th (Japan time), and since July 5th (Japan time) GCE has started normally without changing the settings.
In the document you gave me,
You mentioned that “Service Account User role is required only if MIG creates a VM that can run as a service account.”
Does it have something to do with the setting you told me this time?
In addition, I would like to know why before 7/1 (Japan time), the error message “SERVICE_ACCOUNT_ACCESS_DENIED” was not displayed,
Wasn’t it necessary to grant the above role to the service account? That’s what it means.
1 Like