Hello all, I’m happy to announce that you can now change the service account or access scopes on a stopped VM. This feature is available to all users via a beta command, as documented at https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes
Thanks for your patience while we completed deploying this feature.
Note, we are still planning to add the ability to change scopes on a running VM in a future update (it’s at the very top of our list, we know it is a highly requested feature).Ian Robertson commented
I just ran into this issue.
When I first set up my instance, I followed security best practices by limiting access to only what was absolutely required. As I hadn't any need at the time for a service account, I removed it from my instance. I never imagined that it would not let me add it in later.
In this case, because of the way this currently works, Google is not providing a path for customers to follow security best practices. "Rebuild your system" is not an acceptable solution. The possible solutions should be:
a. A message appears when a user selects to have no service account, informing of the potential issue.
b. This issue is fixed with, at the very least, a stop-update-start sequence.
Please make it a habit to inform customers of any potential issues like this that you may be aware of. Things like this tend to be rather buried in the documentation, and frankly you're only going to learn of the them once you've run into a problem. Please place this pertinent information front-and-center when these selections are being made.Ian Robertson supported this idea ·