Score:2

GCP - which role a permission belongs?

cn flag

I cant understand why use of IAM is so hard to comprehend. For example I am trying to create a schedule for a VM instance. When I add instance to a schedule I got:

Compute Engine System service account [email protected]
needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation

I located the account in IAM but I dont know which role these things belong. Which role should I add to achieve this.

If I try gcloud I get error:

gcloud projects add-iam-policy-binding general-123456 \
    --member=user:[email protected] --role=roles/compute.instances.start

ERROR: (gcloud.projects.add-iam-policy-binding) User [xxxxxx] does not have permission to access projects instance [general-123456:getIamPolicy] (or it may not exist): The caller does not have permission

I am the owner of the account and all the projects.

What should I do about it?

Generally speaking whats the procedure to deal with GCP permissions when they expressed like someth.the.other.etc or someThingsNotRight - how to identify right role name?

Score:3
sb flag

To figure out the role, which has compute.instances.start and compute.instances.stop, you can go to the list of the roles and filter by these permissions (type one in the filter box)[1]. This will produce around a dozen different roles which have the required permission, but these default roles are going to be either very broad in regard to the number of permissions (Owner, Editor, Compute Admin) or designed for other tasks, not related to what you are trying to do (Cloud Dataflow Service Agent, Kubernetes Engine Service Agent).

In your case you could just create a new role (name it something like Instance Scheduler) [2] and assign just these two permissions, then bind the role to your service account.

[1] https://cloud.google.com/iam/docs/creating-custom-roles#getting_the_role_metadata
[2] https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role

Boppity Bop avatar
cn flag
exactly what i needed - a rare occurrence on SE these days :) thanks!
John Hanley avatar
cn flag
@BoppityBop This is a good answer. Another option is to Google search on the permission name. One of the search results will be a page that lists that permission and the roles that contain that permission. When I work with a new service, I read the IAM documentation for that service so that I have an understanding of what I will need to configure.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.