Google Certified Associate Cloud Engineer 2020
  1. Rooms
  2. Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Uploading log file to Cloud Storage from start up script causes `AccessDeniedException: 403` if service accout storage scope is set after instance creation.

Updating scope of default service accout for a VM instance after creating it causes startup-script: AccessDeniedException: 403 when trying to upload log files to cloud storage bucket but works perfectly when setting the scope on creation of the instance.

Like to know if this is expected behavior or what will be best solution for it.

cmd used to set scope after creation:

gcloud compute instances stop instance-name --zone=us-east1-b

gcloud beta compute instances set-scopes instance-name --scopes=storage-rw,monitoring-write,logging-write --zone=us-east1-b --service-account=XXXXXXXXXXXX-default-compute@developer.gserviceaccount.com

gcloud compute instances start instance-name --zone=us-east1-b

cmd used to set scope on creation

gcloud compute instances create instance-name 

--scopes storage-rw,monitoring-write,logging-write 

--metadata lab-logs-bucket=gs://lab-logs-bucket-test-1-05 

--metadata-from-file startup-script=worker-startup-script.sh 

--machine-type=n1-standard-2 

--zone=us-east1-b

script link: https://raw.githubusercontent.com/ACloudGuru/gcp-cloud-engineer/master/compute-labs/worker-startup-script.sh

Good hint @Titus, the option "–metadata-from-file startup-script=worker-startup-script.sh " helps if you decide to automate the whole exercise as passing the script text in one command with escape characters is challenging (hint: can use the GUI then click on "Equivalent Command Line" button.

1 Answers

What I did is to create the instance with access to all the API services. You can set this option when creating the instance.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization