Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Uploading log file to Cloud Storage from start up script causes `AccessDeniedException: 403` if service accout storage scope is set after instance creation.

Updating scope of default service accout for a VM instance after creating it causes startup-script: AccessDeniedException: 403 when trying to upload log files to cloud storage bucket but works perfectly when setting the scope on creation of the instance.

Like to know if this is expected behavior or what will be best solution for it.

cmd used to set scope after creation:

gcloud compute instances stop instance-name --zone=us-east1-b

gcloud beta compute instances set-scopes instance-name --scopes=storage-rw,monitoring-write,logging-write --zone=us-east1-b --service-account=XXXXXXXXXXXX-default-compute@developer.gserviceaccount.com

gcloud compute instances start instance-name --zone=us-east1-b

cmd used to set scope on creation

gcloud compute instances create instance-name 

--scopes storage-rw,monitoring-write,logging-write 

--metadata lab-logs-bucket=gs://lab-logs-bucket-test-1-05 

--metadata-from-file startup-script=worker-startup-script.sh 

--machine-type=n1-standard-2 

--zone=us-east1-b

script link: https://raw.githubusercontent.com/ACloudGuru/gcp-cloud-engineer/master/compute-labs/worker-startup-script.sh

1 Answers

What I did is to create the instance with access to all the API services. You can set this option when creating the instance.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?