Updating scope of default service accout for a VM instance after creating it causes
startup-script: AccessDeniedException: 403 when trying to upload log files to cloud storage bucket but works perfectly when setting the scope on creation of the instance.
Like to know if this is expected behavior or what will be best solution for it.
cmd used to set scope after creation:
gcloud compute instances stop instance-name --zone=us-east1-b gcloud beta compute instances set-scopes instance-name --scopes=storage-rw,monitoring-write,logging-write --zone=us-east1-b --service-account=XXXXXXXXXXXXfirstname.lastname@example.org gcloud compute instances start instance-name --zone=us-east1-b
cmd used to set scope on creation
gcloud compute instances create instance-name --scopes storage-rw,monitoring-write,logging-write --metadata lab-logs-bucket=gs://lab-logs-bucket-test-1-05 --metadata-from-file startup-script=worker-startup-script.sh --machine-type=n1-standard-2 --zone=us-east1-b
What I did is to create the instance with access to all the API services. You can set this option when creating the instance.