Permissions required to add a service account to an instance and grant access scopes

[Aiswarya Bhavanishankar]

What I am trying to do: With service account A, that has a custom role with a list of permissions, I create a new instance using the insert instance API.  I would like to add service account B to the instance being created and grant it certain access scopes. I am setting the appropriate fields in the json body.

The API call returns 200 (OK) but fails in the background with 'INVALID_ARGUMENT' and 'SERVICE_ACCOUNT_ACCESS_DENIED'. (observed on Stackdriver logs)

Is there a permission I am missing on service account A? Granting Project Editor access to it works, but I would like to narrow down the exact permissions required.

List of permissions service account A has:

• compute.addresses.create
• compute.addresses.createInternal
• compute.addresses.delete
• compute.addresses.deleteInternal
• compute.addresses.use
• compute.addresses.useInternal
• compute.disks.create
• compute.disks.createSnapshot
• compute.disks.delete
• compute.disks.get
• compute.disks.list
• compute.disks.setLabels
• compute.disks.use
• compute.disks.useReadOnly
• compute.images.useReadOnly
• compute.instances.addAccessConfig
• compute.instances.attachDisk
• compute.instances.create
• compute.instances.delete
• compute.instances.deleteAccessConfig
• compute.instances.detachDisk
• compute.instances.get
• compute.instances.getIamPolicy
• compute.instances.list
• compute.instances.setDeletionProtection
• compute.instances.setDiskAutoDelete
• compute.instances.setIamPolicy
• compute.instances.setLabels
• compute.instances.setMachineResources
• compute.instances.setMachineType
• compute.instances.setMetadata
• compute.instances.setMinCpuPlatform
• compute.instances.setScheduling
• compute.instances.setServiceAccount
• compute.instances.setShieldedVmIntegrityPolicy
• compute.instances.setTags
• compute.instances.start
• compute.instances.startWithEncryptionKey
• compute.instances.stop
• compute.instances.update
• compute.instances.updateAccessConfig
• compute.instances.updateNetworkInterface
• compute.instances.updateShieldedVmConfig
• compute.instances.use
• compute.networks.get
• compute.networks.use
• compute.networks.useExternalIp
• compute.projects.get
• compute.regions.list
• compute.snapshots.create
• compute.snapshots.delete
• compute.snapshots.get
• compute.snapshots.setLabels
• compute.snapshots.useReadOnly
• compute.subnetworks.get
• compute.subnetworks.list
• compute.subnetworks.use
• compute.subnetworks.useExternalIp
• compute.zones.list
• iam.serviceAccounts.update
• resourcemanager.projects.get

[Jason]

Hello,

As per the attached documentation [1], the best IAM role to have is the "roles/compute.admin" role wich gives full control to Compute Engine resources. I would suggest making sure that you have all of the permissions mentioned in the article that the "Compute Admin" role has to Service Account A (including all of the permissions offered that start with "compute.".

[1] https://cloud.google.com/compute/docs/access/iam#compute.admin