Is there a way to query some ENV variables from the terminal of the Compute VM itself for the service account used by that VM?
This is what I'm looking for but for the Service Account attached to the VM: https://cloud.google.com/shell/docs/how-cloud-shell-works#zone_selection
The details on the service accounts assigned to the Compute Engine instance are available from the Metadata Server. This information can be accessed using the CLI curl from inside the VM.
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts" -H "Metadata-Flavor: Google"
Related
Is there any gcloud command in GCP to list GCP SQL instance iam service-accounts. I am able to see in the GCP UI but I need cli command to print it the terminal. Could some one help me on this.
There is no such gcloud command to get only the service account of a sql instance, if you want to get the account of an specific instance you can run this in cloud shell or voa Cloud SDK gcloud sql instances describe instanceName | grep "serviceAccountEmailAddress" the output will be just then one of the service account.
I usually SSH into a Google Cloud Compute Engine Instance using my local terminal like:
ssh -i ~/.ssh/[KEY_FILENAME [USERNAME]#ip_address
where the [KEY_FILENAME] is generated using
ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]
There is also another way to connect to the instance which is through the browser, however I would connect to the instance with a different user account. Is there a way that I can make it consistent regardless of the method I use to connect?
There are several ways to connect a Linux instance via the SSH. The way you are connecting to an instance is via the terminal. You can connect via the Cloud Console Web UI which is in general the most convenient way to connect to an instance. Also, you can use Google Cloud SDK and run below command to connect to an instance via SSH:
gcloud compute ssh [INSTANCE_NAME]
You can also use Cloud Shell to connect your instance from the Cloud Console web UI by using the same command as above. You can connect via the serial console using the Google Cloud Platform Console, the gcloud command-line tool, or a third-party SSH client. The serial console authenticates users with SSH keys. Specifically, you must add your public SSH key to the project or instance metadata, and store your private key on the local machine from which you want to connect. There are other advanced methods to connect to an instance which you can find at this link.
By default, the gcloud compute command-line tool uses the $USER variable to add users to the /etc/passwd file for connecting to virtual machine instances using SSH. You can specify a different user using the --ssh-key-file PRIVATE_KEY_FILE flag when running the gcloud compute ssh command. Depending on your use case and convenience, you can use any method consistently.
I am trying to create a GKE cluster by executing the following command on a GCE VM instance:
sudo gcloud container clusters create my-cluster \
--machine-type g1-small --num-nodes 1
Execution fails with this error message (despite kubectl being installed):
WARNING: Accessing a Container Engine cluster requires the kubernetes commandline client [kubectl].
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Request had insufficient authentication scopes.
This problem is perhaps cause by the VM instance not possessing enough scopes. It currently possesses the following ones. Which other scope(s) is required in order for the problem to disappear?
Google Container Engine requires the https://www.googleapis.com/auth/cloud-platform scope, so you'll need to select "Allow full access to all Cloud APIs" when you create the VM instance.
I'm using google compute engine and have an auto scaling instance group that spins up new VMs as needed all sitting behind a load balancer. I'm also using google's cloud SQL in the same project. The VMs need to connect to the cloud SQL instance.
Since the IPs of the VMs are dynamic I can't just plug in the IPs to the SQL access config so I followed the cloud sql proxy setup along with the notes from this very similar question:
How to connect from a pool of Google Compute Engine instances to Cloud SQL DB in the same project?
I can now log into a single test VM and run:
./cloud_sql_proxy -instances=PROJ_NAME:TIMEZONE:SQL_NAME=tcp:3306
and everything works great and that VM connects to the cloud SQL instance.
The next step is where I'm having issues. How can I setup the VM so it automatically starts up the proxy when it's either built from an instance template or just restarted. The obvious answer seem to be to shove the above in the VM's start-up script but that doesn't seem to be working. So with my single test VM I can SSH into the VM and manually run the cloud_sql_proxy command and all works. If I then include the below in my start-up script and restart the VM it doesn't connect:
#! /bin/bash
./cloud_sql_proxy -instances=PROJ_NAME:TIMEZONE:SQL_NAME=tcp:3306
Any suggestions? I seriously can't believe it's this hard to connect to the SQL cloud from a VM in the same project...
The startup script you have shown doesn’t show the download step of the cloud_sql_proxy.
You need to first download and then launch the proxy. So, your startup script should look like:
sudo wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64
sudo mv cloud_sql_proxy.linux.amd64 cloud_sql_proxy
sudo chmod +x cloud_sql_proxy
sudo ./cloud_sql_proxy -instances=PROJ_NAME:TIMEZONE:SQL_NAME=tcp:3306 &
I choose crontab to run cloud_sql_proxy automatically when vm start up.
$crontab -e
and add
#reboot cloud_sql_proxy blah blah.
I'm trying to do gcloud init on my fresh GCE instance using a service account that I've created in the Developers Console. In the Developers Console, I see a few service accounts under Permissions, which I can't generate private key files for; I also see a service account that I made under Service accounts which I can get private keys for.
When I do gcloud init on the GCE instance, under "Pick credentials to use", I only see the service accounts in the Permissions tab (for which I don't have private keys). I'd like to use the service account that I have private keys for.
I can log in with my personal account for now, but this isn't scalable. Any advice?
You can use gcloud auth activate-service-account command to get credentials via the private key for a service account. For more information and example please visit this link.
Elaborating on #Kamaran's answer after further discussion.
The basic solution is to enable the service account on the GCE instance.
First use gcloud compute copy-files <private json key file> <instance name>:remote/path/to/key to copy the file to the remote instance. Then run gcloud auth activate-service-account <service account address> --key-file remote/path/to/key command on the remote. The new service account will then be available in the gcloud init menu.