This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GCE Scheduled Snapshots permissions

Posted 3 weeks ago
slitsevych
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a rather odd issue which I cannot resolve as of now and also cannot find any documentation about it.
So I'm trying to create GCE Scheduled Snapshots for a couple of persistent disks (manual snapshot works fine) and the thing is that those persistent disks were created with KMS encryption that's tied to the service account "{SA_NAME} @${PROJECT_ID}.iam.gserviceaccount.com". 

As result snapshots are not being created and in logs I see messages from principal system@google.com: 
The user does not have access to service account '"{SA_NAME} @${PROJECT_ID}.iam.gserviceaccount.com". User: ''. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

The issue is that it does not list which user needs to have this permission. I was under impression that GCE Service agent "

service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" should have "roles/iam.serviceAccountUser" + "roles/compute.instanceAdmin.v1" + "roles/compute.serviceAgent" and so I've added all that but the error did not go away and so I'm kinda stuck. 
Am I mistaken about granting iam.serviceAccountUser to the Compute Service Agent? 

 

0 1 114
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
reinc
Staff
Reply posted on --/--/---- --:-- AM

Hi @slitsevych

Welcome to Google Cloud Community! 

You need to grant the iam.serviceAccountUser role to the Google Compute Engine service account for your instance's service account. This allows the compute service agent to impersonate your service account, giving it temporary access to use the KMS key to read the disk for the snapshot.

Grant the Role to the Compute Engine Service Agent

  • Go to the Service Accounts
  • Click on the service account's name. This will take you to its details page.
  • Go to the "Permissions" tab.
  • Click "Grant Access".
  • In the "New principals" field, enter the following:
    service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com
    (Replace ${PROJECT_NUMBER} with your actual project number).

  • In the "Select a role" dropdown, start typing "Service Account User" and select the "Service Account User" role.
  • Click "Save".

For more information, you may check these documentation:

If you have any questions and need further assistance with specific steps, please reach out to our Google Cloud Support team.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all