Forbidden error for service accounts on GCP VM instances

0 votes
I am getting a forbidden error for service accounts on GCP VM instances. How do I resolve it?
Oct 17, 2019 in GCP by Karan
 • 19,610 points 1,340 views

1 answer to this question.

0 votes

This error can occur when the VM instance does not have the userinfo-email scope

For example, suppose the VM has cloud-platform scope but does not have userinfo-email scope. 

When the VM gets an access token, Google Cloud Platform associates that token with the cloud-platform scope. When the Kubernetes API server asks GCP for the identity associated with the access token, it receives the service account's unique ID, not the service account's email.

To authenticate successfully, either create a new VM with the userinfo-email scope or create a new role binding that uses the unique ID.

  • To create a new VM with the userinfo-email scope, run the following command:

gcloud compute instances create [INSTANCE_NAME] \
    --service-account [SERVICE_ACCOUNT_EMAIL] \
    --scopes userinfo-email

  • To create a new role binding that uses the service account's unique ID for an existing VM, perform the following steps:

  1. Identify the service account's unique ID:

    gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]

  2. Create a role binding using the unique ID:

    kubectl create clusterrolebinding [CLUSTERROLEBINDING_NAME] \ --clusterrole cluster-admin \ --user [UNIQUE_ID]

Hope this helps! 

answered Oct 17, 2019 by Sirajul
 • 59,230 points

Related Questions In GCP

0 votes
1 answer

How do I cancel charges? Someone signed up for this service (gcp) on my behalf

Hey @Lior, you can check the history ...READ MORE

answered May 6, 2020 in GCP by Sirajul
 • 59,230 points 915 views
0 votes
1 answer

Should i should down my VM instance on GCP so that I am not billed ? or just closing the remote desktop on GCP is enough?

Continuously make a point to shut down any ...READ MORE

answered Sep 23, 2019 in GCP by Sirajul
 • 59,230 points 2,880 views
0 votes
1 answer

How do I know for how long an instance has been running on GCP?

If you SSH into the instance you ...READ MORE

answered Sep 23, 2019 in GCP by Sirajul
 • 59,230 points 3,442 views
0 votes
1 answer

Creating password for a windows instance on GCP

Windows Server instances use password authentication instead ...READ MORE

answered Sep 24, 2019 in GCP by Sirajul
 • 59,230 points 4,331 views
0 votes
1 answer

Deploying containers on Compute engine's VM instance or using GKE to deploy.

By deploying containers on Compute Engine, you ...READ MORE

answered Sep 26, 2019 in GCP by Sirajul
 • 59,230 points 1,802 views
0 votes
1 answer

Monitor the resource usage in GKE cluster.

Yes, GKE usage metering tracks information about ...READ MORE

answered Oct 17, 2019 in GCP by Sirajul
 • 59,230 points 1,762 views
0 votes
1 answer

How to enable the GKE usage metering?

To enable GKE usage metering, you first create ...READ MORE

answered Oct 17, 2019 in GCP by Sirajul
 • 59,230 points 1,740 views
0 votes
1 answer

How do I create a GKE cluster that can autoscale when needed?

The following command creates a cluster of ...READ MORE

answered Oct 17, 2019 in GCP by Sirajul
 • 59,230 points 1,458 views
0 votes
1 answer

Error while boot of a VM instance on GCP

Secure Boot helps ensure that the system ...READ MORE

answered Oct 23, 2019 in GCP by Sirajul
 • 59,230 points 3,487 views
0 votes
1 answer

How to change a boot disk for a VM instance running on GCP?

In the GCP Console only, you can ...READ MORE

answered Nov 7, 2019 in GCP by Sirajul
 • 59,230 points 6,918 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.