如何在设置为服务帐户的 GCP 计算虚拟机上安装监控代理?

How to install monitoring agent on GCP Compute VM that is set to a Service Account?

我将 GCP VM 设置为使用服务帐户,因此在控制台的 VM 实例详细信息中:

Service account

blarg@MYPROJECT.iam.gserviceaccount.com

当我运行安装监控代理的命令时,我看到了这个:

Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:

  • Required 'compute.instances.setMetadata' permission for 'projects/MYPROJECT/zones/us-central1-a/instances/MYVM'

我在 实例(不是整个项目)上为服务帐户授予 Compute Admin 角色,然后重新 运行.结果更加混乱:

Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.ssh) Could not add SSH key to instance metadata:

  • The user does not have access to service account > 'blarg@MYPROJECT.iam.gserviceaccount.com'. User: 'blarg@MYPROJECT.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

我是否真的在 服务帐户上 运行t iam.serviceAccountUser 角色 以便它可以使用自己?有没有其他方法可以 运行 脚本 作为我 而不是服务帐户,因为我是一个项目 admin/owner?

根据计算管理员角色的官方文档,这是正确的:

Full control of all Compute Engine resources.

If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.

Link: https://cloud.google.com/compute/docs/access/iam