How can we improve Compute Engine?

Ability to change Cloud API access scopes on launched instances

Being able to change access scopes on an already launched instance should already be possible. It is a little ridiculous to have to disable boot disk deletion, delete the instance, and start a new instance (making sure all the other configuration is the same) just to change access scopes to use a feature you had not considered when first creating the instance. This is something that is very easy to do in AWS using IAM roles/instance profiles.

506 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Keilan Jackson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Hello all, I’m happy to announce that you can now change the service account or access scopes on a stopped VM. This feature is available to all users via a beta command, as documented at https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

Thanks for your patience while we completed deploying this feature.

Note, we are still planning to add the ability to change scopes on a running VM in a future update (it’s at the very top of our list, we know it is a highly requested feature).

30 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • AdminPaul Nash (Product Manager, GCE, Google) commented  ·   ·  Flag as inappropriate

    I made the latest update 11 days ago. Sorry if "soon" was interpreted as meaning "hours", that wasn't the idea. Unfortunately our deployment schedules are very fluid, so we can't give an exact date when this new functionality will be available, but we'll post here when it is.

  • Philip Hutchins commented  ·   ·  Flag as inappropriate

    Yeah, definitely would like to see this happen soon. Whats the status? Appears like it's been 'coming soon' for quite some time... At least the ability to stop an instance and change API access would suffice.

  • Ngure Nyaga commented  ·   ·  Flag as inappropriate

    This one got me today...same story: machine set up with limited scope then when I need more I found that I could not add.

  • Kirill Berezin commented  ·   ·  Flag as inappropriate

    Thanks, is there a public date of this feature? Or possibility to join testing group?
    In my case, i have read-only access to storage, and seems i cant change it to read-write

  • Shahar commented  ·   ·  Flag as inappropriate

    Hi and thanks for your comment. Isn't this superceded by the new Role system for instances already?

  • AdminPaul Nash (Product Manager, GCE, Google) commented  ·   ·  Flag as inappropriate

    Hi folks,

    This feature is at the top of our stack due to the strong demand represented in feedback here and elsewhere. It is currently in limited testing, and will be deployed more widely in an upcoming release. As our deployment schedule is very fluid, I unfortunately can't offer an exact date. Please hang in there, just a bit longer.

  • Ian Robertson commented  ·   ·  Flag as inappropriate

    I just ran into this issue.

    When I first set up my instance, I followed security best practices by limiting access to only what was absolutely required. As I hadn't any need at the time for a service account, I removed it from my instance. I never imagined that it would not let me add it in later.

    In this case, because of the way this currently works, Google is not providing a path for customers to follow security best practices. "Rebuild your system" is not an acceptable solution. The possible solutions should be:
    a. A message appears when a user selects to have no service account, informing of the potential issue.
    b. This issue is fixed with, at the very least, a stop-update-start sequence.

    Please make it a habit to inform customers of any potential issues like this that you may be aware of. Things like this tend to be rather buried in the documentation, and frankly you're only going to learn of the them once you've run into a problem. Please place this pertinent information front-and-center when these selections are being made.

  • Ilya Vaiser commented  ·   ·  Flag as inappropriate

    Google made a limited product. After vmvare very difficult to work with it. Even just a clone vm - an adventure. And yet such specific problems :(

← Previous 1

Feedback and Knowledge Base