2

I cant understand why use of IAM is so hard to comprehend. For example I am trying to create a schedule for a VM instance. When I add instance to a schedule I got:

Compute Engine System service account service-xxxxxxxxxx@compute-system.iam.gserviceaccount.com
needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation

I located the account in IAM but I dont know which role these things belong. Which role should I add to achieve this.

If I try gcloud I get error:

gcloud projects add-iam-policy-binding general-123456 \
    --member=user:service-xxxxxxxxxxxx@compute-system.iam.gserviceaccount.com --role=roles/compute.instances.start

ERROR: (gcloud.projects.add-iam-policy-binding) User [xxxxxx] does not have permission to access projects instance [general-123456:getIamPolicy] (or it may not exist): The caller does not have permission

I am the owner of the account and all the projects.

What should I do about it?

Generally speaking whats the procedure to deal with GCP permissions when they expressed like someth.the.other.etc or someThingsNotRight - how to identify right role name?

Boppity Bop
  • 722
  • 3
  • 11
  • 29

1 Answers1

3

To figure out the role, which has compute.instances.start and compute.instances.stop, you can go to the list of the roles and filter by these permissions (type one in the filter box)[1]. This will produce around a dozen different roles which have the required permission, but these default roles are going to be either very broad in regard to the number of permissions (Owner, Editor, Compute Admin) or designed for other tasks, not related to what you are trying to do (Cloud Dataflow Service Agent, Kubernetes Engine Service Agent).

In your case you could just create a new role (name it something like Instance Scheduler) [2] and assign just these two permissions, then bind the role to your service account.

[1] https://cloud.google.com/iam/docs/creating-custom-roles#getting_the_role_metadata
[2] https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role

jabbson
  • 561
  • 1
  • 8
  • exactly what i needed - a rare occurrence on SE these days :) thanks! – Boppity Bop Jul 03 '21 at 17:27
  • 1
    @BoppityBop This is a good answer. Another option is to Google search on the permission name. One of the search results will be a page that lists that permission and the roles that contain that permission. When I work with a new service, I read the IAM documentation for that service so that I have an understanding of what I will need to configure. – John Hanley Jul 03 '21 at 18:34