Linux – permission denied when using service account with Google scp command

google-cloud-platformgoogle-compute-enginelinux

I want to use CircleCI to deploy my code to Compute Engine instance. I have created a Service Account user and use gcloud scp command below:

gcloud --quiet compute scp --recurse dev/test/ [DEST_INSTANCE]:/var/www/dev/dev/test --zone=northamerica-northeast1-a --project [PROJECT_NAME]

to upload files to var subfolder and the deployment fails with the error below:

scp: /var/www/dev/dev/test: Permission denied
ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1].
Exited with code 1

Now, I want to grant access to the service account but I don't see it in the list of users to grant access to when I use cat /etc/passwd. How can I grant permission to a service account? The roles I have assigned to this account is:

Best Answer

Please check the service account in use. There's one service account that's default for GCE and created by GCP. The other one is the one you created.

If you're using the one you created, have you authorized login for the service account using the JSON key file?

Related Solutions

Ssh – Unable to SSH Google Cloud Engine instance through gcloud & Putty from Windows 10

OP has resolved this issue by copying his SSH keys to authorized_keys file. This issue can be caused if Google accounts daemon is not running on your VM. This daemon is responsible for syncing ssh keys and user account information between the metadata and VM. For more information on accounts daemon you can visit this link.

How to modify the existing access scope of a Google Cloud Platform service account

I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.

i.e.

https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization

If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.

i.e.

gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"

If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.

Best Answer

Related Solutions

Ssh – Unable to SSH Google Cloud Engine instance through gcloud & Putty from Windows 10

How to modify the existing access scope of a Google Cloud Platform service account

Related Topic