VM Instance and Service Account Note
Note
There are three main use case of using service account:
- Running workloads on Virtual Machine
- Running workloads on workstations or datacenters that call Google APIs
- Running workload which are not tied to the lifecycle of a human user
When create one service account and attach to VM instance you will have two main terms:
- Resources this service account can access
- Member with access to this service account
You can create multiple Virtual Machine using the same service account but a VM only is attached to a service account
When create VM instance, you can assign specific service account, if not the VM will be attached to default service account
Default Service Account — by default all the Compute Engine instance can run as default service account. When create instance using command-line or Cloud Console and omit any service account specifications, the default service account will be assign to the VM Instance.
Delete and recreating service accounts:
- Can be re-create new service account have the same name with the old one after delete
- The roles attached to service account were not delete immediately after delete service account
Using the Compute Engine Default Service Account
From Google Cloud console, go to Navigation menu
Create VM instance with the following information:
Name: service-account-test
Label: key: name, value : service-account-role
Region: asia-southeast1; Zone: asia-southeast1-a
Boot Disk type: CentOS 7
After create VM instance, we can SSH into the VM instance via Web browser or using SSH client. For easy we can using browser window.
Check current Service Account attached to VM Instance by running:
Currently, the VM instance is attached 674644608098-compute@developer.gserviceaccount.com service account. In addition, when I SSH into the VM, I can list all the buckets in the project.
Now, I create new service account but don’t have any permission. The service account name: instancemanagedrole@arched-osprey-300404.iam.gserviceaccount.com, then I SSH into the VM Instance and try to list all the buckets
To allow list bucket action which perform into VM Instance, I will add new permission to the service account by create IAM role
