[attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set

[aalimlakhani]

Environment details

1. [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set
2. OS type and version: Linux amd64-64-Bit
3. Java version: 11.0.19
4. Version(s): Compute 1.38.0

Steps to reproduce

1. Set permissions to include "compute.instances.attachDisk", Attempt to attach a disk to a VM using "attachAsyncDisk". It will fail, and in the operation details there is a message that the user does not have access to a different service account.
2. Now add permission "iam.serviceAccounts.actAs" and try it again. It now works.
3. Other operations such as "create disk", "detach disk", "start instance", "stop instance" all work without this super permission.
4. This high level permission should not be required when the appropriate "compute.instances.attachDisk" permission is already set.

Code example

// example

Stack trace

Any relevant stacktrace here.

External references such as API reference guides

• ?

Any additional information below

Following these steps guarantees the quickest resolution possible.

Thanks!

[lqiu96]

Would you be able to share a repro (project or code sample) so I can run to replicate this issue? Or a guide if you were following a guide for running this inside Compute?

Also, could you share the stacktrace?

[aalimlakhani]

Thanks Lawrence, from the SDK call to “attachDiskAsync”, the stack trace was not very informative, but the image that I shared below on the operations console had a more detailed error that outlined the permissions issue. This is the stack trace.

@.***

@.***

Here is a code snippet on how we attach the disks to the instance:

public Operation ***@***.*** String projectId,
        @Nonnull String zone,
        @Nonnull String instanceName,
        boolean isBootDisk,
        boolean forceAttach,
        boolean autoDelete,
        @Nonnull String diskLink,
        @Nonnull String mode,
        @Nullable String deviceName
        ) throws IOException, InterruptedException, ExecutionException {

    final InstancesClient client = sdkClientSession.getOrCreateSdkClient(
            InstancesClient.class, this::createInstancesClient);

    AttachedDisk.Builder attachedDisk = AttachedDisk.newBuilder().setSource(diskLink).setMode(
            mode);

    if (isBootDisk) {
        attachedDisk.setBoot(true);
    }

    if (forceAttach) {
        attachedDisk.setForceAttach(true);
    }

    if (autoDelete) {
        attachedDisk.setAutoDelete(true);
    }

    if (!Strings.isNullOrEmpty(deviceName)) {
        attachedDisk.setDeviceName(deviceName);
    }

    AttachDiskInstanceRequest attachDiskInstanceRequest = AttachDiskInstanceRequest.newBuilder()
            .setProject(projectId)
            .setZone(zone)
            .setInstance(instanceName)
            .setAttachedDiskResource(
                    attachedDisk
                    .build())
            .build();

    return client.attachDiskAsync(attachDiskInstanceRequest).get();
}

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Lawrence Qiu @.> Sent: Thursday, February 15, 2024 2:26 PM To: googleapis/google-cloud-java @.> Cc: Aalim Lakhani @.>; Author @.> Subject: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

Would you be able to share a repro (project or code sample) so I can run to replicate this issue? Or a guide if you were following a guide for running this inside Compute? Also, could you share the stacktrace? — Reply to this email directly, ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!18-rKVWVoTMwki6Tu2uuZYVCxJJ3clOi8BaBV3LGEh06WPlRcR_5sbp62OUKmP-mkIiNxyhzkg_FooVc1C7NzQjDWrRMVyYBYm9su6xvFcsWWLg-7Ibd$ ‌ ZjQcmQRYFpfptBannerEnd

Would you be able to share a repro (project or code sample) so I can run to replicate this issue? Or a guide if you were following a guide for running this inside Compute?

Also, could you share the stacktrace?

— Reply to this email directly, view it on GitHubhttps://github.com/googleapis/google-cloud-java/issues/10391#issuecomment-1947065054, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIXZGFYKHXXFVKINXAQ4F63YTZOMBAVCNFSM6AAAAABDKWVHWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBXGA3DKMBVGQ. You are receiving this because you authored the thread.Message ID: @.@.>>

[lqiu96]

but the image that I shared below on the operations console had a more detailed error that outlined the permissions issue

I am unable to see an image on GH (might not have uploaded to GH).

Looking at the IAM permissions: https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1, I don't think anything is special regarding compute.instances.attachDisk. From this section (https://cloud.google.com/compute/docs/access/iam#the_serviceaccountuser_role), it seems like you wouldn't need to add serviceAccounts.actAs.

Was this something that had been working previously and suddenly failed? Or perhaps you added new permissions but the changes didn't propagate yet?

[aalimlakhani]

Thanks Lawrence, we are recently starting to use these APIs, so there was no previous usage scenario. We didn’t change anything recently. Other related operations such as detachDisk works, but attachDisks seems to have different behavior.

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Lawrence Qiu @.> Sent: Thursday, February 15, 2024 3:30 PM To: googleapis/google-cloud-java @.> Cc: Aalim Lakhani @.>; Author @.> Subject: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

but the image that I shared below on the operations console had a more detailed error that outlined the permissions issue I am unable to see an image on GH (might not have uploaded to GH). Looking at the IAM permissions: https: //cloud. google. com/compute/docs/access/iam#compute. instanceAdmin. v1, ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!18-rKVWVoTMwki6Tu2uuZYVCxJJ3clOi8BaBV3LGEh06WPlRcR_5sbp62OUKmP-mkMlNh0hyEg_FooVc1C7NzZfcNeqnfZRZ8meoq0Cug6GIb4k_-4jZ$ ‌ ZjQcmQRYFpfptBannerEnd

but the image that I shared below on the operations console had a more detailed error that outlined the permissions issue

I am unable to see an image on GH (might not have uploaded to GH).

Looking at the IAM permissions: https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1, I don't think anything is special regarding compute.instances.attachDisk. From this section, it seems like you wouldn't need to add serviceAccounts.actAs.

Was this something that had been working previously and suddenly failed? Or perhaps you added new permissions but the changes didn't propagate yet?

— Reply to this email directly, view it on GitHubhttps://github.com/googleapis/google-cloud-java/issues/10391#issuecomment-1947287358, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIXZGF4VTYZQHBGJLODCAQDYTZV4VAVCNFSM6AAAAABDKWVHWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBXGI4DOMZVHA. You are receiving this because you authored the thread.Message ID: @.@.>>

[lqiu96]

I see. I will try to create a repro for the behavior above.

Also, if you have a support plan, feel free to reach out to our support hub for faster response times.

[lqiu96]

My simple repro:

String projectId = "{PROJECT_ID}";
    String zone = "us-central1-a";
    String instanceName = "{INSTANCE}";
    try (InstancesClient instancesClient = InstancesClient.create()) {
      AttachedDisk attachedDisk = AttachedDisk.newBuilder().setSource("projects/{PROJECT_ID}/zones/us-central1-a/disks/{DISK_ID}").build();
      AttachDiskInstanceRequest attachDiskInstanceRequest = AttachDiskInstanceRequest.newBuilder()
              .setProject(projectId)
              .setZone(zone)
              .setInstance(instanceName)
              .setAttachedDiskResource(attachedDisk)
              .build();
      Operation operation = instancesClient.attachDiskAsync(attachDiskInstanceRequest).get();
      System.out.println(operation);
    } catch (IOException e) {
      throw new RuntimeException(e);
    } catch (ExecutionException e) {
      throw new RuntimeException(e);
    } catch (InterruptedException e) {
      throw new RuntimeException(e);
    }

Result:

id: {ID}
kind: "compute#operation"
name: "operation-1234"
...
zone: "https://www.googleapis.com/compute/v1/projects/{PROJECT_ID}/zones/us-central1-a"
target_link: "https://www.googleapis.com/compute/v1/projects/{PRPJECT_ID}/zones/us-central1-a/instances/{INSTANCE}}"
...
self_link: "https://www.googleapis.com/compute/v1/projects/{PRPJECT_ID}/zones/us-central1-a/operations/operation-1234"

I just checked inside the console and I see that my disk is in use by the instance. Can you double check your permissions?

[aalimlakhani]

Thanks for your reply Lawrence, I’m not sure if you saw the problem detail that I sent Bharat. We have an environment like the following:

---

We have a service account that is granted with three roles. These roles have some assigned permissions. We are noticing that unless one of these roles has assigned permissions for "iam.serviceAccounts.actAs", the SDK operation to attach a disk to an instance does not work, even though one of the permissions on the same role is: "compute.instances.attachDisk". As I mentioned, other very similar operations (including detaching disks, does not have this same behavior).

So we do not have a single user with the permission, but instead have a service account that is granted three roles, and these roles have the permissions. In this scenario, it is where we see that the “attachDisk” fails unless we give “actAs” to one of the roles.

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Lawrence Qiu @.> Sent: Friday, February 16, 2024 2:26 PM To: googleapis/google-cloud-java @.> Cc: Aalim Lakhani @.>; Author @.> Subject: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

My simple repro: String projectId = "{PROJECT_ID}"; String zone = "us-central1-a"; String instanceName = "{INSTANCE}"; try (InstancesClient instancesClient = InstancesClient. create()) { AttachedDisk attachedDisk = AttachedDisk. newBuilder(). setSource("projects/{PROJECT_ID}/zones/us-central1-a/disks/{DISK_ID}"). build(); ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!18-rKVWVoTMwki6Tu2uuZYVCxJJ3clOi8BaBV3LGEh06WPlRcR_5sbp62OUKmP-nUndKn18NsvEjK7_REO1jPPUTAYxUkq7WDGtLikI0oHutAHKjW8ci$ ‌ ZjQcmQRYFpfptBannerEnd

My simple repro:

String projectId = "{PROJECT_ID}";

String zone = "us-central1-a";

String instanceName = "{INSTANCE}";

try (InstancesClient instancesClient = InstancesClient.create()) {

  AttachedDisk attachedDisk = AttachedDisk.newBuilder().setSource("projects/{PROJECT_ID}/zones/us-central1-a/disks/{DISK_ID}").build();

  AttachDiskInstanceRequest attachDiskInstanceRequest = AttachDiskInstanceRequest.newBuilder()

          .setProject(projectId)

          .setZone(zone)

          .setInstance(instanceName)

          .setAttachedDiskResource(attachedDisk)

          .build();

  Operation operation = instancesClient.attachDiskAsync(attachDiskInstanceRequest).get();

  System.out.println(operation);

} catch (IOException e) {

  throw new RuntimeException(e);

} catch (ExecutionException e) {

  throw new RuntimeException(e);

} catch (InterruptedException e) {

  throw new RuntimeException(e);

}

Result:

id: {ID}

kind: "compute#operation"

name: "operation-1234"

...

zone: "https://www.googleapis.com/compute/v1/projects/{PROJECT_ID}/zones/us-central1-ahttps://www.googleapis.com/compute/v1/projects/%7BPROJECT_ID%7D/zones/us-central1-a"

target_link: "https://www.googleapis.com/compute/v1/projects/{PRPJECT_ID}/zones/us-central1-a/instances/{INSTANCE}https://www.googleapis.com/compute/v1/projects/%7BPRPJECT_ID%7D/zones/us-central1-a/instances/%7BINSTANCE%7D}"

...

self_link: "https://www.googleapis.com/compute/v1/projects/{PRPJECT_ID}/zones/us-central1-a/operations/operation-1234https://www.googleapis.com/compute/v1/projects/%7BPRPJECT_ID%7D/zones/us-central1-a/operations/operation-1234"

I just checked inside the console and I see that my disk is in use by the instance. Can you double check your permissions?

— Reply to this email directly, view it on GitHubhttps://github.com/googleapis/google-cloud-java/issues/10391#issuecomment-1949194318, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIXZGFZII3HXYYXF5BU6ZCLYT6XFHAVCNFSM6AAAAABDKWVHWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBZGE4TIMZRHA. You are receiving this because you authored the thread.Message ID: @.@.>>

[aalimlakhani]

Hi Lawrence, just checking in to see if you have had a chance to try out the scenario using the service account structure that I have described below? We are able to consistently reproduce this issue. Thanks

---

We have a service account that is granted with three roles. These roles have some assigned permissions. We are noticing that unless one of these roles has assigned permissions for "iam.serviceAccounts.actAs", the SDK operation to attach a disk to an instance does not work, even though one of the permissions on the same role is: "compute.instances.attachDisk". As I mentioned, other very similar operations (including detaching disks, does not have this same behavior).

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Aalim Lakhani Sent: Friday, February 16, 2024 7:58 PM To: googleapis/google-cloud-java @.***> Subject: RE: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

Thanks for your reply Lawrence, I’m not sure if you saw the problem detail that I sent Bharat. We have an environment like the following:

---

We have a service account that is granted with three roles. These roles have some assigned permissions. We are noticing that unless one of these roles has assigned permissions for "iam.serviceAccounts.actAs", the SDK operation to attach a disk to an instance does not work, even though one of the permissions on the same role is: "compute.instances.attachDisk". As I mentioned, other very similar operations (including detaching disks, does not have this same behavior).

So we do not have a single user with the permission, but instead have a service account that is granted three roles, and these roles have the permissions. In this scenario, it is where we see that the “attachDisk” fails unless we give “actAs” to one of the roles.

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Lawrence Qiu @.@.>> Sent: Friday, February 16, 2024 2:26 PM To: googleapis/google-cloud-java @.@.>> Cc: Aalim Lakhani @.@.>>; Author @.@.>> Subject: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

My simple repro: String projectId = "{PROJECT_ID}"; String zone = "us-central1-a"; String instanceName = "{INSTANCE}"; try (InstancesClient instancesClient = InstancesClient. create()) { AttachedDisk attachedDisk = AttachedDisk. newBuilder(). setSource("projects/{PROJECT_ID}/zones/us-central1-a/disks/{DISK_ID}"). build(); ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!18-rKVWVoTMwki6Tu2uuZYVCxJJ3clOi8BaBV3LGEh06WPlRcR_5sbp62OUKmP-nUndKn18NsvEjK7_REO1jPPUTAYxUkq7WDGtLikI0oHutAHKjW8ci$ ‌ ZjQcmQRYFpfptBannerEnd

My simple repro:

String projectId = "{PROJECT_ID}";

String zone = "us-central1-a";

String instanceName = "{INSTANCE}";

try (InstancesClient instancesClient = InstancesClient.create()) {

  AttachedDisk attachedDisk = AttachedDisk.newBuilder().setSource("projects/{PROJECT_ID}/zones/us-central1-a/disks/{DISK_ID}").build();

  AttachDiskInstanceRequest attachDiskInstanceRequest = AttachDiskInstanceRequest.newBuilder()

          .setProject(projectId)

          .setZone(zone)

          .setInstance(instanceName)

          .setAttachedDiskResource(attachedDisk)

          .build();

  Operation operation = instancesClient.attachDiskAsync(attachDiskInstanceRequest).get();

  System.out.println(operation);

} catch (IOException e) {

  throw new RuntimeException(e);

} catch (ExecutionException e) {

  throw new RuntimeException(e);

} catch (InterruptedException e) {

  throw new RuntimeException(e);

}

Result:

id: {ID}

kind: "compute#operation"

name: "operation-1234"

...

zone: "https://www.googleapis.com/compute/v1/projects/{PROJECT_ID}/zones/us-central1-ahttps://www.googleapis.com/compute/v1/projects/%7BPROJECT_ID%7D/zones/us-central1-a"

target_link: "https://www.googleapis.com/compute/v1/projects/{PRPJECT_ID}/zones/us-central1-a/instances/{INSTANCE}https://www.googleapis.com/compute/v1/projects/%7BPRPJECT_ID%7D/zones/us-central1-a/instances/%7BINSTANCE%7D}"

...

self_link: "https://www.googleapis.com/compute/v1/projects/{PRPJECT_ID}/zones/us-central1-a/operations/operation-1234https://www.googleapis.com/compute/v1/projects/%7BPRPJECT_ID%7D/zones/us-central1-a/operations/operation-1234"

I just checked inside the console and I see that my disk is in use by the instance. Can you double check your permissions?

— Reply to this email directly, view it on GitHubhttps://github.com/googleapis/google-cloud-java/issues/10391#issuecomment-1949194318, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIXZGFZII3HXYYXF5BU6ZCLYT6XFHAVCNFSM6AAAAABDKWVHWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBZGE4TIMZRHA. You are receiving this because you authored the thread.Message ID: @.@.>>

[lqiu96]

Hi sorry, I wasn't been able to look at this issue earlier. I see the comment you copied below (apologies I may have missed that above, but GH is doing something weird with your emails and I have to manually expand our conversation).

We have a service account that is granted with three roles. If I'm understanding this correctly, one of those roles is compute.instanceadmin.v1 (https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1), correct? From reading the docs, that should have the attachDisk permission.

I see from the section above in the same page: https://cloud.google.com/compute/docs/access/iam#the_serviceaccountuser_role, it talks about also granting roles/iam.serviceAccountUser. Can you check that this role is also granted to the Service Account? It specifically calls out Attach a persistent disk to an instance that runs as a service account., so my assumption is that attaching a disk requires the additional iam.serviceAccounts.actAs permission.

I can run the local repro with the roles SA structure you mentioned above.

[aalimlakhani]

Thanks for replying Lawrence, maybe its terminology, but I think we are slightly talking slightly about different things. We do not use specifically grant the role “compute.instanceadmin.v1“, also the docs that you reference say: “Attach a persistent disk to an instance that runs as a service account.”, I don’t think we are doing that. I’m not sure what it means for an instance to “run as a service account”, but this instance is just a normal instance created by a user. There is no configuration that I can see that shows that it is running as a service account.

To elaborate on our config. We have a service account that is bound to three separate custom roles. These are not roles from GCP, but roles that we created. Each of these roles has a set of permissions applied to it. On one of these roles, we have the permission to attach a disk, but we need to add “actAs” as a permission on one of these roles, to get the attach to work.

If I sect the service account from the list on the console and click on “Permissions->View Access->Analyze->Run Query”, I see that the Results list has three rows, with the Principal as the service account, and the Role grant” column containing the three custom roles that I mentioned above. If I click the “View Binding” link, I see that each of these roles has several members, and one of these members is this service account.

I hope this description helps you to understand the configuration. I would be happy to meet with you to show you in a call, if this would help. Thanks.

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Lawrence Qiu @.> Sent: Tuesday, February 20, 2024 11:33 AM To: googleapis/google-cloud-java @.> Cc: Aalim Lakhani @.>; Author @.> Subject: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

Hi sorry, I wasn't been able to look at this issue earlier. I see the comment you copied below (apologies I may have missed that above, but GH is doing something weird with your emails and I have to manually expand our conversation). We have ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!18-rKVWVoTMwki6Tu2uuZYVCxJJ3clOi8BaBV3LGEh06WPlRcR_5sbp62OUKmP-GhaBSxmnUT7QCSo5pc7qC4rp1se2Y_EpyefOVCv3tvTLC7XS8p_QC$ ‌ ZjQcmQRYFpfptBannerEnd

Hi sorry, I wasn't been able to look at this issue earlier. I see the comment you copied below (apologies I may have missed that above, but GH is doing something weird with your emails and I have to manually expand our conversation).

We have a service account that is granted with three roles. If I'm understanding this correctly, one of those roles is compute.instanceadmin.v1 (https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1https://cloud.google.com/compute/docs/access/iam#compute.instanceAdmin.v1), correct? From reading the docs, that should have the attachDisk permission.

I see from the section above in the same page: https://cloud.google.com/compute/docs/access/iam#the_serviceaccountuser_rolehttps://cloud.google.com/compute/docs/access/iam#the_serviceaccountuser_role, it talks about also granting roles/iam.serviceAccountUser. Can you check that this role is also granted to the Service Account? It specifically calls out Attach a persistent disk to an instance that runs as a service account., so my assumption is that attaching a disk requires the additional iam.serviceAccounts.actAs permission.

— Reply to this email directly, view it on GitHubhttps://github.com/googleapis/google-cloud-java/issues/10391#issuecomment-1954598104, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIXZGF23CI75O3ZUVFYXOFDYUTF23AVCNFSM6AAAAABDKWVHWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUGU4TQMJQGQ. You are receiving this because you authored the thread.Message ID: @.@.>>

[lqiu96]

Gotcha. I think we are on the same page regarding the configs and your setup, but let me know if I'm misunderstanding anything.

You may have custom configs for your use case and I was referring the docs as they provided general GCP defaults (general roles that can be used if you're not creating custom ones). The compute.instanceadmin.v1 role contains the attachDisk permission: . If one of the three roles that the SA is assigned to contains this, then we should be good on this permission. I believe from your comments above, this is the case.

There is no configuration that I can see that shows that it is running as a service account.

I have a question regarding how you're using the SA and our client library. I believe you're using the google-cloud-compute client library v1.38.0 and most likely authenticating with the SA Key: https://github.com/googleapis/google-cloud-java/?tab=readme-ov-file#using-a-service-account-recommended (i.e. most likely setting the GOOGLE_APPLICATION_CREDENTIALS with the path to the SA Key), right? You would be authenticating as the Service Account and would have access to anything the SA does.

The reason why I'm asking the question above is that I believe our docs is suggesting that the SA will need to additional role roles/iam.serviceAccountUser to run these actions: with one of them being attaching a disk. Or specifically, your SA would at least need the additional permission of iam.serviceAccounts.actAs . Your SA wouldn't have the compute.instanceadmin.v1 specifically, but rather three custom roles in your project.

From the docs above, I believe the behavior you're experiencing is intended, but let me know if you see otherwise for other docs or guides or anything else.

[aalimlakhani]

Thanks Lawrence, generally what you are saying makes sense, but I am having a little trouble understanding how to add the “roles/iam.serviceAccountUser” and then giving this the “attachDisk” action. This is probably because I am not that familiar with configuring IAM access in GCP.

I’ll run this past some of the devs here that may be able to interpret this better than me. If you have any suggestions or info on how to best attach this role and permission to an existing service account please let me know.

Aalim Lakhani IBM Toronto Software Lab

Phone: 905-413-3810 Email: @.@.>

From: Lawrence Qiu @.> Sent: Tuesday, February 20, 2024 12:43 PM To: googleapis/google-cloud-java @.> Cc: Aalim Lakhani @.>; Author @.> Subject: [EXTERNAL] Re: [googleapis/google-cloud-java] [attachDiskAsync]: Attach disk does not work unless "iam.serviceAccounts.actAs" permission is set (Issue #10391)

Gotcha. I think we are on the same page regarding the configs and your setup, but let me know if I'm misunderstanding anything. You may have custom configs for your use case and I was referring the docs as they provided general GCP defaults ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. Report Suspicious https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!18-rKVWVoTMwki6Tu2uuZYVCxJJ3clOi8BaBV3LGEh06WPlRcR_5sbp62OUKmP-GheEzpqj0z7QCSo5pc7qC4rDz96AXGL-3UyWg55nwbI_43YnrFa1d$ ‌ ZjQcmQRYFpfptBannerEnd

Gotcha. I think we are on the same page regarding the configs and your setup, but let me know if I'm misunderstanding anything.

You may have custom configs for your use case and I was referring the docs as they provided general GCP defaults (general roles that can be used if you're not creating custom ones). The compute.instanceadmin.v1 role contains the attachDisk permission: image.png (view on web)https://github.com/googleapis/google-cloud-java/assets/6621793/5b375e6a-c580-4d23-b732-bd7e2080a44f. If one of the three roles that the SA is assigned to contains this, then we should be good on this permission. I believe from your comments above, this is the case.

There is no configuration that I can see that shows that it is running as a service account.

I have a question regarding how you're using the SA and our client library. I believe you're using the google-cloud-compute client library v1.38.0 and most likely authenticating with the SA Key: https://github.com/googleapis/google-cloud-java/?tab=readme-ov-file#using-a-service-account-recommendedhttps://github.com/googleapis/google-cloud-java/?tab=readme-ov-file#using-a-service-account-recommended (i.e. most likely setting the GOOGLE_APPLICATION_CREDENTIALS with the path to the SA Key), right? You would be authenticating as the Service Account and would have access to anything the SA does.

The reason why I'm asking the question above is that I believe our docs is suggesting that the SA will need to additional role roles/iam.serviceAccountUser to run these actions: image.png (view on web)https://github.com/googleapis/google-cloud-java/assets/6621793/f0d69d49-9ab1-4955-bdcc-4d5686cbaca9 with one of them being attaching a disk. Or specifically, your SA would at least need the additional permission of iam.serviceAccounts.actAs image.png (view on web)https://github.com/googleapis/google-cloud-java/assets/6621793/af7967f5-ad70-4dea-b1a5-87cd6ed60cd2. Your SA wouldn't have the compute.instanceadmin.v1 specifically, but rather three custom roles in your project.

From the docs above, I believe the behavior you're experiencing is intended.

— Reply to this email directly, view it on GitHubhttps://github.com/googleapis/google-cloud-java/issues/10391#issuecomment-1954723790, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIXZGFYLLBNTPGPKLWTU3UDYUTODPAVCNFSM6AAAAABDKWVHWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUG4ZDGNZZGA. You are receiving this because you authored the thread.Message ID: @.@.>>

[lqiu96]

From my understanding of our conversation above, I think that one of the roles linked to your SA already has the attachDisk permission, so nothing needs to be done for that.

Unless there is a new GCP policy, I don't think you can directly add a permission to a SA. Rather, I think the correct action(s) would to be:

1. Modify one of the existing roles to include the iam.serviceAccount.actAs permission
2. Create a new custom role that has the iam.serviceAccount.actAs permission

I think this guide might be helpful: https://cloud.google.com/iam/docs/manage-access-service-accounts#single-role

[mpeddada1]

Closing due to no response and @lqiu96's context on managing service account access. @aalimlakhani please feel free to re-open this issue if you have any further questions!