This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Permissions issue with GCP Default Service Account when adding an EC2 instance to a schedule

Posted on 10-20-2023 10:42 AM
jrajagopal
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are facing a problem with GCP permissions for our service account. When we try to add one of our EC2 instances to a schedule, we get the error message that states the service account has "permissions missing for compute.instances.start".

The role that is assigned to the service account has this permission assigned. 

Also upon going through the Google Cloud documentation, we were told to assign "Compute Instance Admin (v1)" role to the service account. This did not fix the problem. Any thoughts on how to proceed?

1 4 6,004
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @jrajagopal,

Welcome to the Google Cloud Community!

First, please verify that the Compute Engine Service Agent is enabled for your project. You can view this documentation for details.

Next, please verify that the service account is selected for your VM. To do this, follow these steps:

  1. Go to the Cloud Console.
  2. Search for "Compute Engine".
  3. Click on your VM instance.
  4. In the API and identity management section, verify that the selected service account has the Compute Instance Admin (v1) role. If not, click Edit and change to the appropriate service account.

If you have followed the steps above and are still unable to schedule a VM instance, there may be an IAM rule set at the organizational level.

Please let me know if that was helpful. Thank you!

Posted on --/--/---- --:-- AM
jrajagopal
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@lawrencenelson thanks for getting back to me. All of the above are complete - we have a Service agent enabled for the project. And the service account has the Compute Instance Admin (v1) role assigned.

Further, our set up is a simple one - we only have a couple of developers; since there has never been a need to set up IAM rules, we have not done so. I can still check if you can let me know where to look.

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
In response to jrajagopal
Reply posted on --/--/---- --:-- AM

Hi,

For the error "Compute Engine System service account needs to have [compute.instances.start,compute.instances.stop] permissions applied in order to perform this operation.", kindly try the following steps below [1]:

  1. Head to your Cloud Console
  2. Search for IAM & Admin
  3. Head to IAM
  4. Click on the Include Google-provided role grants tickbox
  5. Look for the service account that contains the "@compute-system.iam.gserviceaccount.com" then click on the Pencil button (Edit Principal).
  6. Add the Compute Instance Admin (v1) role to the service account.
  7. Reattempt to add the VM instance to the instance scheduler.

Screenshot.png

It should work now after following the steps above. I hope this helps. Thank you.

[1]. https://stackoverflow.com/questions/69470724/how-to-link-a-google-cloud-vm-to-an-instance-schedule

Posted on --/--/---- --:-- AM
jrajagopal
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I don't have an account that contains "@compute-system.iam.gserviceaccount.com". There are 2 I have - "@developer.gserviceaccount.com" and "@appspot.gserviceaccount.com". The error is with the former. And before I made the original post, I'd already added the Compute Instance Admin (v1) role to it.

 

Top Labels in this Space
Top Solution Authors
View all