1

I'm trying to create a Compute Engine VM instance sample in Google Cloud that has an associated startup script startup_script.sh. On startup, I would like to have access to files that I have stored in a Cloud Source Repository. As such, in this script, I clone a repository using

gcloud source repos clone <repo name> --project=<project name>

Additionally, startup_script.sh also runs commands such as

gcloud iam service-accounts keys create key.json --iam-account <account>

which creates .json credentials, and

EXTERNAL_IP = $(gcloud compute instances describe sample --format='get(networkInterfaces[0].accessConfigs[0].natIP)' --zone=us-central1-a)

to get the external IP of the VM within the VM. To run these commands without any errors, I found that I need partial or full access to multiple Cloud API access scopes.

If I manually edit the scopes of the VM after I've already created it to allow for this and restart it, startup_script.sh runs fine, i.e. I can see the results of each command completing successfully. However, I would like to assign these scopes upon creation of the VM and not have to manually edit scopes after the fact. I found in the documentation that in order to do this, I can run

gcloud compute instances create sample --image-family=ubuntu-1804-lts --image-project=ubuntu-os-cloud --metadata-from-file=startup-script=startup_script.sh --zone=us-central1-a --scopes=[cloud-platform, cloud-source-repos, default]

When I run this command in the Cloud Shell, however, I can either only add one scope at a time, i.e. --scopes=cloud_platform, or if I try to enter multiple scopes as shown in the command above, I get

ERROR: (gcloud.compute.instances.create) unrecognized arguments:
  cloud-source-repos,
  default]

Adding multiple scopes as the documentation suggests doesn't seem to work. I get a similar error when use the scope's URI instead of it's alias.

Any obvious reasons as to why this may be happening? I feel this may have to do with the service account (or lack thereof) associated with the sample VM, but I'm not entirely familiar with this.

BONUS: Ideally I would like to run the VM creation cloud shell command in a cloudbuild.yaml file, which I have as

steps:
   - name: 'gcr.io/cloud-builders/gcloud'
   entrypoint: gcloud
   args: ['compute', 'instances', 'create', 'sample', '--image-family=ubuntu-1804-lts', '--image-project=ubuntu-os-cloud', '--metadata-from-file=startup-script=startup_sample.sh', '--zone=us-central1-a', '--scopes=[cloud-platform, cloud-source-repos, default]']

I can submit the build using

gcloud builds submit --config cloudbuild.yaml .

Are there any issues with the way I've setup this cloudbuild.yaml?

Bhairav Valera
  • 45
  • 1
  • 7
  • Does your service account have the proper roles? Also, can you try to remove default after cloud repos and see if that changes anything? It states its an argument error, therefore the syntax is wrong but it does look fine to me – LukeTerro Nov 19 '20 at 18:52
  • 1
    Advice. Compute Engine Scopes limit permissions assigned to the service account. Scopes do not increase/add permissions. Use the "cloud-platform" scope and manage the permissions via roles assigned to the project for the service account. – John Hanley Nov 19 '20 at 23:34

1 Answers1

1

Adding multiple scopes as the documentation suggests doesn't seem to work

Please use the this command with --scopes=cloud-platform,cloud-source-reposCreated and not --scopes=[cloud-platform, cloud-source-repos, default]:

gcloud compute instances create sample --image-family=ubuntu-1804-lts --image-project=ubuntu-os-cloud  --zone=us-central1-a --scopes=cloud-platform,cloud-source-reposCreated 

[https://www.googleapis.com/compute/v1/projects/wave25-vladoi/zones/us-central1-a/instances/sample].
NAME    ZONE           MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
sample  us-central1-a  n1-standard-1               10.128.0.17  35.238.166.75  RUNNING

Also consider @John Hanley comment.

marian.vladoi
  • 7,663
  • 1
  • 15
  • 29