gcloud compute instances set-service-account

NAME
gcloud compute instances set-service-account - set a service account and access scopes for a Compute Engine VM instance
SYNOPSIS
gcloud compute instances set-service-accountINSTANCE_NAME[--zone=ZONE][--scopes=[SCOPE,…]    |--no-scopes][--service-account=SERVICE_ACCOUNT    |--no-service-account][GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute instances set-service-account lets you configure aservice account and access scopes for a Compute Engine VM instance.

As a best practice, grant thecloud-platform access scope on your VMinstance. Then, to restrict resource access, grant only the required IAM rolesto the VM instance's service account. For more information, seehttps://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes#best_practices.

EXAMPLES
To set a service account with thecloud-platform scope, run:
gcloudcomputeinstancesset-service-accountexample-instance--scopes=cloud-platform--zone=us-central1-b--service-account=example-account
POSITIONAL ARGUMENTS
INSTANCE_NAME
Name of the instance to operate on. For details on valid instance names, referto the criteria documented under the field 'name' at:https://cloud.google.com/compute/docs/reference/rest/v1/instances
FLAGS
--zone=ZONE
Zone of the instance to operate on. If not specified, you might be prompted toselect a zone (interactive mode only).gcloud attempts to identify theappropriate zone by searching for resources in your currently active project. Ifthe zone cannot be determined,gcloud prompts you for a selection withall available Google Cloud Platform zones.

To avoid prompting when this flag is omitted, the user can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

At most one of these can be specified:
--scopes=[SCOPE,…]
If not provided, the instance will keep the scopes it currently has.

SCOPE can be either the full URI of the scope or an alias.Defaultscopes are assigned to all instances. Available aliases are:

AliasURI
bigqueryhttps://www.googleapis.com/auth/bigquery
cloud-platformhttps://www.googleapis.com/auth/cloud-platform
cloud-source-reposhttps://www.googleapis.com/auth/source.full_control
cloud-source-repos-rohttps://www.googleapis.com/auth/source.read_only
compute-rohttps://www.googleapis.com/auth/compute.readonly
compute-rwhttps://www.googleapis.com/auth/compute
datastorehttps://www.googleapis.com/auth/datastore
defaulthttps://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/pubsub
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/trace.append
gke-defaulthttps://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/trace.append
logging-writehttps://www.googleapis.com/auth/logging.write
monitoringhttps://www.googleapis.com/auth/monitoring
monitoring-readhttps://www.googleapis.com/auth/monitoring.read
monitoring-writehttps://www.googleapis.com/auth/monitoring.write
pubsubhttps://www.googleapis.com/auth/pubsub
service-controlhttps://www.googleapis.com/auth/servicecontrol
service-managementhttps://www.googleapis.com/auth/service.management.readonly
sql (deprecated)https://www.googleapis.com/auth/sqlservice
sql-adminhttps://www.googleapis.com/auth/sqlservice.admin
storage-fullhttps://www.googleapis.com/auth/devstorage.full_control
storage-rohttps://www.googleapis.com/auth/devstorage.read_only
storage-rwhttps://www.googleapis.com/auth/devstorage.read_write
taskqueuehttps://www.googleapis.com/auth/taskqueue
tracehttps://www.googleapis.com/auth/trace.append
userinfo-emailhttps://www.googleapis.com/auth/userinfo.email
DEPRECATION WARNING:https://www.googleapis.com/auth/sqlserviceaccount scope andsql alias do not provide SQL instance managementcapabilities and have been deprecated. Please, usehttps://www.googleapis.com/auth/sqlservice.adminorsql-admin to manage your Google SQL Service instances.
--no-scopes
Remove all scopes from the instance
At most one of these can be specified:
--service-account=SERVICE_ACCOUNT
A service account is an identity attached to the instance. Its access tokens canbe accessed through the instance metadata server and are used to authenticateapplications on the instance. The account can be set using an email addresscorresponding to the required service account. You can explicitly specify theCompute Engine default service account using the 'default' alias.

If not provided, the instance will use the service account it currently has.

--no-service-account
Remove service account from the instance
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.