This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to enable delete protection on a Workbench Instance

Posted on 01-23-2025 07:04 AM
rpanai
New Member
Reply posted on --/--/---- --:-- AM

Given that stop and delete buttons are next to each other it's the second Workbench instance that I mistakenly deleted.
I know that I can enable this feature for VM machines but whenever
I click on instance name -> System -> VM details and then click on  View in Compute Engine and I try to edit enabling the delete protection I got the following error.

 

 

Editing VM instance "MY-INSTANCE" failed. Error: Required 'Current principal doesn't have permission to mutate this resource!' permission for 'MY-INSTANCE'

 

 

We try using different service accounts /users and adding permission without much luck.

I get the very same error when I'm trying to set Keep disk as Deletion rule.
This is very unconvinient. I know I could set snapshots but these simple features would be great

0 1 344
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
reinc
Staff
Reply posted on --/--/---- --:-- AM

Hi @rpanai

Welcome to Google Cloud Community!

Each Workbench instance has a service account associated with it. Your account is the one that actually manages the underlying VM, it also requires the proper permission to enable delete protection. You need to determine your account.

Here's how to do it:
1. Get the Workbench Service Account Email:

  • In the Workbench UI, navigate to your instance.
  • Go to "System" -> "VM details".
  • Look for the "Service Account" field. Copy the email address of the service account. It should look like: 
    workbench-<your-project>-<your-instance>@developer.gserviceaccount.com

2. Grant IAM Permission:

  • Go to the IAM & Admin page in the Google Cloud Console.
  • Click "Grant Access"
  • Enter the service account email you copied in step 1.
  • Grant “Compute Admin” and “Service Account User” roles.

4zJU3xKi98Jiojc.png

Next, Enabling delete protection in the compute engine instance through gcloud commands.

Using gcloud (command line):
1. Install the gcloud CLI: Make sure you have the Google Cloud SDK (gcloud CLI) installed and configured.
2. Use gcloud on the resource:

gcloud compute instances update <your-instance-name> \
  --deletion-protection \
  --project=<your-project-id> \
  --zone=<your-instance-zone>


Additionally, to verify Delete Protection Status:

You can check if delete protection is enabled via the gcloud command:

gcloud compute instances describe <your-instance-name> --format="get(deletionProtection)" --zone=<your-instance-zone> --project=<your-project-id>

36ufYBXGf5Vm8w9.png

This will output true if enabled, false otherwise. Alternatively, you can view it in the Compute Engine UI under VM Instances, select your instance, and the deletion protection status will be visible in the Summary.


Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Top Labels in this Space