The default settings for GCE instances are fairly locked down from accessing Google APIs, but it's not obvious that's happening!

Check out the instance creation settings:

You might think that "allow default access" means "use normal permissions as already configured". But … no 😅 Hover over the "?" icon and see:

Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control.

In other words, creating a GCE instance with default settings means you can't write to storage even if the default service account has write permissions.

You have two options:

• Go with full access according to permissions: Allow full access to all Cloud APIs

• Customize each service: Set access for each API

I went with the former, as I'm ok relying on the service account permissions. It's nice to know a more secure environment could lock down the account to just what's needed for that particular case (vs everything the account can do).

🔐

After this change, I can create VMs that can read/write storage. Ahh 😌