How to change the scope of a Google Compute Engine service account to write data to a Google Cloud Storage bucket?

Sunil Garg picture Sunil Garg · Aug 6, 2015 · Viewed 9.1k times · Source

There is an instance running on GCE and there is a GCS bucket in same project. But I am not able to write data to it. How can I write data from a VM instance to the storage bucket?

Answer

Misha Brukman picture Misha Brukman · Aug 7, 2015

Update: as of 15 Dec 2016, the feature setServiceAccount is now in beta:

You can change the service account and/or access scopes of an existing instance if you want to run as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs. For example, you can change access scopes to grant access to a new API or change an instance so that it runs as a service account you created instead of the Compute Engine Default Service Account.

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.

The documentation provides instructions for how to use this feature using the Google Cloud Console, gcloud CLI tool, as well as API. Here's an example using gcloud; see the docs for more info.

gcloud beta compute instances set-scopes [INSTANCE_NAME] \
     --service-account [SERVICE_ACCOUNT_EMAIL] \
     [--no-scopes | --scopes [SCOPES,...]]

Previous answer (valid prior to 15 Dec 2016):

You can't change the scopes of a running VM instance. You can either:

  • create a new instance (possibly reusing the disks of your current instance) with the right scopes specified at creation time, e.g.:

    gcloud compute instances create [...] --scopes storage-rw
    
  • if you want to use gsutil manually from inside the VM, you can run gsutil config inside the VM and authenticate by following its prompts

  • if you are planning to use an automated tool using Google APIs, use a service account