Ability to change Cloud API access scopes on launched instances
Being able to change access scopes on an already launched instance should already be possible. It is a little ridiculous to have to disable boot disk deletion, delete the instance, and start a new instance (making sure all the other configuration is the same) just to change access scopes to use a feature you had not considered when first creating the instance. This is something that is very easy to do in AWS using IAM roles/instance profiles.
Hello all, I’m happy to announce that you can now change the service account or access scopes on a stopped VM. This feature is available to all users via a beta command, as documented at https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes
Thanks for your patience while we completed deploying this feature.
Note, we are still planning to add the ability to change scopes on a running VM in a future update (it’s at the very top of our list, we know it is a highly requested feature).
'soon' ...it has been nearly four years, is this any closer to coming?
Roman Czerwinski commented
any update on this since EOY 2016?
Jeff Welling commented
It's been over a year since the last update, is there any news to share?
If this is indeed being worked on, could you please post a link to the public Google issue tracker so that we can Star the issue and follow along?
Here's a link to an unrelated issue to demonstrate what I'm talking about: https://issuetracker.google.com/issues/35904733
Thank you kindly in advance!
is this also possible for gke cluster node pools? - repost
is this also possible for gke cluster node pools?
James Duerden commented
Caught out by this today; glad to see it's being worked on. Keep up the good work! :)
Rosen Simov commented
+3 votes on this "a must feature". Looking forward to it.
I made the latest update 11 days ago. Sorry if "soon" was interpreted as meaning "hours", that wasn't the idea. Unfortunately our deployment schedules are very fluid, so we can't give an exact date when this new functionality will be available, but we'll post here when it is.
Philip Hutchins commented
Yeah, definitely would like to see this happen soon. Whats the status? Appears like it's been 'coming soon' for quite some time... At least the ability to stop an instance and change API access would suffice.
Ngure Nyaga commented
This one got me today...same story: machine set up with limited scope then when I need more I found that I could not add.
Kirill Berezin commented
Thanks, is there a public date of this feature? Or possibility to join testing group?
In my case, i have read-only access to storage, and seems i cant change it to read-write
Hi and thanks for your comment. Isn't this superceded by the new Role system for instances already?
Stanley Cheung commented
Waiting to connect my cloud SQL with computer engine, any update?
This feature is at the top of our stack due to the strong demand represented in feedback here and elsewhere. It is currently in limited testing, and will be deployed more widely in an upcoming release. As our deployment schedule is very fluid, I unfortunately can't offer an exact date. Please hang in there, just a bit longer.
Darryl Steyn commented
Any update on this?
Waiting for... any update?
Robert Navarro commented
Is there any update on this? We keep running into issues with our instances with this.
Lajos Gathy commented
Can't wait to have this feature released.
Ian Robertson commented
I just ran into this issue.
When I first set up my instance, I followed security best practices by limiting access to only what was absolutely required. As I hadn't any need at the time for a service account, I removed it from my instance. I never imagined that it would not let me add it in later.
In this case, because of the way this currently works, Google is not providing a path for customers to follow security best practices. "Rebuild your system" is not an acceptable solution. The possible solutions should be:
a. A message appears when a user selects to have no service account, informing of the potential issue.
b. This issue is fixed with, at the very least, a stop-update-start sequence.
Please make it a habit to inform customers of any potential issues like this that you may be aware of. Things like this tend to be rather buried in the documentation, and frankly you're only going to learn of the them once you've run into a problem. Please place this pertinent information front-and-center when these selections are being made.
Duncan Austin commented
Please, please, please, any word on this?