Forbidden error for service accounts on GCP VM instances

0 votes
I am getting a forbidden error for service accounts on GCP VM instances. How do I resolve it?
Oct 17 in GCP by Karan
• 6,060 points
21 views

1 answer to this question.

0 votes

This error can occur when the VM instance does not have the userinfo-email scope

For example, suppose the VM has cloud-platform scope but does not have userinfo-email scope. 

When the VM gets an access token, Google Cloud Platform associates that token with the cloud-platform scope. When the Kubernetes API server asks GCP for the identity associated with the access token, it receives the service account's unique ID, not the service account's email.

To authenticate successfully, either create a new VM with the userinfo-email scope or create a new role binding that uses the unique ID.

  • To create a new VM with the userinfo-email scope, run the following command:

gcloud compute instances create [INSTANCE_NAME] \
    --service-account [SERVICE_ACCOUNT_EMAIL] \
    --scopes userinfo-email
  • To create a new role binding that uses the service account's unique ID for an existing VM, perform the following steps:

  1. Identify the service account's unique ID:

    gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]
  2. Create a role binding using the unique ID:

    kubectl create clusterrolebinding [CLUSTERROLEBINDING_NAME] \ --clusterrole cluster-admin \ --user [UNIQUE_ID]

Hope this helps! 

answered Oct 17 by Sirajul
• 39,540 points

Related Questions In GCP

0 votes
1 answer

Creating password for a windows instance on GCP

Windows Server instances use password authentication instead ...READ MORE

answered Sep 24 in GCP by Sirajul
• 39,540 points
102 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

Error while boot of a VM instance on GCP

Secure Boot helps ensure that the system ...READ MORE

answered Oct 22 in GCP by Sirajul
• 39,540 points
12 views
0 votes
1 answer