0

I've set up a cron job on a google compute ubuntu system to take a snapshot. When run from an ssh session, the cron script creates a snapshot fine. However, when run as root from a cron job, the

"gcloud compute disks snapshot"

command fails with the error

"Insufficient Permission: Request had insufficient authentication scopes."

I understand the permission required is compute.disks.createSnapshot and roles which provide this permission are

roles/compute.instanceAdmin
roles/compute.instanceAdmin.v1
roles/compute.storageAdmin

However, when I look at IAM Members for the project I see no root to which I can give the appropriate role. How do I establish root on a VM instance as having the premissions required to create a snapshot?

Gary Aitken
  • 123
  • 6

1 Answers1

1

The right way is to run the instance with Service Credentials, and give the roles to it.

See here Setting up a new instance to run as a service account

Eduardo
  • 51
  • 4
  • Not sure I understand. Are you saying I set the crontab user to something like @cloudservices.gserviceaccount.com, assuming that account has the appropriate role? And if so, how do I know what user/group permissions it has in terms of executing a shell script? I don't see any entries in /etc/passwd for service accounts. – Gary Aitken Jun 20 '20 at 05:08
  • I thought I had it figured out: gcloud compute disks snapshot my-disk --snapshot-names=mysnap-name --account=; the service account has roles editor and pubsub.admin; but I get the message "Insufficient Permission: Request had insufficient authentication scopes" – Gary Aitken Jun 21 '20 at 04:01
  • The documentation stated that when launching the instance, you need to specify a service account that you created, with the right roles, in **Identity and API Access** (if using the console). In this way, you don't need to secure the credentials file and use --account argument. Anyway, try theses roles: compute.disks.createSnapshot, compute.snapshots.create, compute.snapshots.get, and compute.zoneOperations.get. – Eduardo Jun 22 '20 at 09:50
  • The problem is not the permissions; the google created service account assigned to the VM instance when it was created already has the editor role, which has the needed permissions. The problem appears to be that the "Allow default access" for "Compute Engine" under gcloud API access scope is disabled, and I can't figure out how to enable it. Clicking on the VM instance shows the gcloud API access scopes at the very bottom under "Details", but there is no way to enable them from there. – Gary Aitken Jun 23 '20 at 17:02
  • You have to stop the VM to edit the API access. – Gary Aitken Jun 23 '20 at 17:43
  • Could you get your cron job to run changing the scopes? – Eduardo Jun 24 '20 at 18:57