The primitive role of the compute Service Account is Editor. Which I took to mean includes read and write APIs to all GCP resources using that service account. If that’s the case, then how, when I create a vm instance using the compute engine default service account, the access to storage is only read and not write?
So policies are additive, but roles are not? Very confused.
1 Answers
I think the missing factor in the scenario you’re describing is the use of "access scopes" in GCE, and how they limit the permissions that a VM gains from its associated service account. Access scopes are kind of ‘subtractive’ because they can remove the ability of a VM to write to a Cloud Storage bucket even though that VM’s service account has the permissions for that action (the service account resource itself is unaffected though).
The default access scopes applied to a VM only allow read access, and I think that’s what was happening when you made your VM (defaults listed here: https://cloud.google.com/compute/docs/access/service-accounts#associating_a_service_account_to_an_instance).
So policies are additive, but that doesn’t mean that another factor cannot come in and mess with permissions!