-1

I want to run my google cloud server everyday on specific times. I set up an instance schedule for that but when i try to link my vm to the schedule it gives me the following error:

Compute Engine System service account service-390738840624@compute-system.iam.gserviceaccount.com needs to have [compute.instances.start] permissions applied in order to perform this operation.

Does anyone know how to solve this?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
SebastiaanTheCoder
  • 33
  • 9

3 Answers3

1

The service account service-390738840624@compute-system.iam.gserviceaccount.com does not have a role with the permission compute.instances.start.

The following IAM roles have the required permission:

  • roles/compute.instanceAdmin
  • roles/compute.instanceAdmin.v1

The following command will add the first role to the service account:

Replace $PROJECT_ID with your Project ID (not the project name).

gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:service-390738840624@compute-system.iam.gserviceaccount.com \
--role roles/compute.instanceAdmin

Your account for which you are running the command, must have the privilege to grant/modify IAM roles on a service account. If you do not have the correct permissions, you will need to ask the Project Owner or Editor to perform this for you.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
1

The CLI answer works but in case you dont use terminal here are the steps directly on the platform:

  1. go to IAM
  2. on the right side of the screen select "Include Google-provided role grants"
  3. Find Principal that contain text "compute-system.iam.gserviceaccount.com"
  4. edit (with little pen on the right)
  5. from the popup shown select "+Add another role", select role "Compute Instance Admin" (can show beta or v1 in the brackets)

this fixed my issue

Karol Be
  • 390
  • 3
  • 9
  • That 'Google-provided role grants' filter was critical. I just spent so long trying to figure it out. Thanks. – erikreed Dec 15 '22 at 02:57
0

In order to complete the task, GCP is asking you to give the service account “service-390738840624@compute-system.iam.gserviceaccount.com” access to use “compute.instances.start” but the service account doesn't have the right permissions to execute the task.

When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles that you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance.

To grant, change, and revoke access to a single service account, please refer to this guide.

Be aware that to manage access to a service account, you need a role that includes the following permissions:

  • *iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy*

If you want to know which are the permission included in your account, please refer to this guide.

If you don't have the appropriate access to grant permissions, please refer to your system administrator.

To know more about compute engine roles and permissions, please follow this link.

If you wish to know more about services accounts, please follow this link.

To know more about the process of scheduling compute instances with Google Scheduler, please follow this link.

Ismael Clemente Aguirre
  • 671
  • 1
  • 8