From 9b19f5044505df24f4254d6747e56e3b6a5cec4e Mon Sep 17 00:00:00 2001 From: Vivian Wu Date: Mon, 25 Nov 2024 18:47:18 +0000 Subject: [PATCH] Add permissions for secondary boot disk guide --- tools/gke-disk-image-builder/README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/gke-disk-image-builder/README.md b/tools/gke-disk-image-builder/README.md index e5e9565ad..b1cef33a7 100644 --- a/tools/gke-disk-image-builder/README.md +++ b/tools/gke-disk-image-builder/README.md @@ -24,7 +24,8 @@ examples below to understand how this tool work better. 1. Compute Engine API must be enabled. (https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=$PROJECT_NAME) 1. Verify that `$PROJECT_NUMBER-compute@developer.gserviceaccount.com` has - `storage.objectCreator` permissions to the provided *GCS path* for the logs. + `storage.objectCreator` and `storage.objectViewer` permissions to the + provided *GCS path* for the logs and startup script. You can run the following command to grant proper permissions for this: ```shell @@ -32,6 +33,11 @@ examples below to understand how this tool work better. --project=$PROJECT_NAME \ --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com \ --role=roles/storage.objectCreator + + gcloud storage buckets add-iam-policy-binding gs://$GCS_PATH \ + --project=$PROJECT_NAME \ + --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com \ + --role=roles/storage.objectViewer ``` 1. If a disk image with the given name (via the **--image-name** flag) already