Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

How does the default scope of the default service account remove Write access to Storage?

The primitive role of the compute Service Account is Editor.  Which I took to mean includes read and write APIs to all GCP resources using that service account.  If that’s the case, then how, when I create a vm instance using the compute engine default service account, the access to storage is only read and not write?

So policies are additive, but roles are not? Very confused.

1 Answers

I think the missing factor in the scenario you’re describing is the use of "access scopes" in GCE, and how they limit the permissions that a VM gains from its associated service account. Access scopes are kind of ‘subtractive’ because they can remove the ability of a VM to write to a Cloud Storage bucket even though that VM’s service account has the permissions for that action (the service account resource itself is unaffected though).

The default access scopes applied to a VM only allow read access, and I think that’s what was happening when you made your VM (defaults listed here:

So policies are additive, but that doesn’t mean that another factor cannot come in and mess with permissions!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?