gcloud compute instances set-service-account - set a service account and access scopes for a Compute Engine VM instance
gcloud compute instances set-service-account INSTANCE_NAME [--zone=ZONE] [--scopes=[SCOPE,...] | --no-scopes] [--service-account=SERVICE_ACCOUNT | --no-service-account] [GCLOUD_WIDE_FLAG ...]
gcloud compute instances set-service-account lets you configure a service account and access scopes for a Compute Engine VM instance.
As a best practice, grant the cloud-platform access scope on your VM instance. Then, to restrict resource access, grant only the required IAM roles to the VM instance's service account. For more information, see https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes#best_practices.
To set a service account with the cloud-platform scope, run:
$ gcloud compute instances set-service-account example-instance \ --scopes=cloud-platform --zone=us-central1-b \ --service-account=example-account
- INSTANCE_NAME
Name of the instance to operate on. For details on valid instance names, refer to the criteria documented under the field 'name' at: https://cloud.google.com/compute/docs/reference/rest/v1/instances
- --zone=ZONE
Zone of the instance to operate on. If not specified, you might be prompted to select a zone (interactive mode only). gcloud attempts to identify the appropriate zone by searching for resources in your currently active project. If the zone cannot be determined, gcloud prompts you for a selection with all available Google Cloud Platform zones.
To avoid prompting when this flag is omitted, the user can set the compute/zone property:
$ gcloud config set compute/zone ZONE
A list of zones can be fetched by running:
$ gcloud compute zones list
To unset the property, run:
$ gcloud config unset compute/zone
Alternatively, the zone can be stored in the environment variable CLOUDSDK_COMPUTE_ZONE.
- At most one of these can be specified:
- --scopes=[SCOPE,...]
If not provided, the instance will keep the scopes it currently has.
SCOPE can be either the full URI of the scope or an alias. Default scopes are assigned to all instances. Available aliases are:
DEPRECATION WARNING: https://www.googleapis.com/auth/sqlservice account scope and sql alias do not provide SQL instance management capabilities and have been deprecated. Please, use https://www.googleapis.com/auth/sqlservice.admin or sql-admin to manage your Google SQL Service instances.
- --no-scopes
Remove all scopes from the instance
- At most one of these can be specified:
- --service-account=SERVICE_ACCOUNT
A service account is an identity attached to the instance. Its access tokens can be accessed through the instance metadata server and are used to authenticate applications on the instance. The account can be set using an email address corresponding to the required service account. You can explicitly specify the Compute Engine default service account using the 'default' alias.
If not provided, the instance will use the service account it currently has.
- --no-service-account
Remove service account from the instance
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.