You created a user-managed service account that has the Storage Object Viewer role. An existing Compute Engine VM currently runs using the default Compute Engine service account, but the application on the VM now needs to access objects in a private Cloud Storage bucket by assuming the new identity. You want to make this change with the least possible downtime and without replacing the VM. What should you do?
Add a metadata entry named service-account-email with the new service account on the running VM; no restart is required.
Grant the Storage Object Viewer role to the new service account; the VM will automatically use it on its next token refresh.
Generate an access token for the new service account and store it as an environment variable for the application on the VM.
Stop the VM, run gcloud compute instances set-service-account with the new service account, then start the VM.
A Compute Engine VM's service account can be changed only while the instance is stopped. Stopping the instance, updating its service account with the gcloud compute instances set-service-account command (or the equivalent Console action), and then starting it again switches the identity without recreating the VM. Simply granting roles to the new service account does not attach it to the VM. Editing custom metadata or injecting access tokens does not cause the VM to impersonate the service account, and storing long-lived credentials is discouraged for security reasons.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why must the VM be stopped to change its service account?
Open an interactive chat with Bash
What is the Storage Object Viewer role, and why is it needed?
Open an interactive chat with Bash
Why is storing access tokens as environment variables discouraged?
Open an interactive chat with Bash
What is a user-managed service account?
Open an interactive chat with Bash
What does the 'gcloud compute instances set-service-account' command do?
Open an interactive chat with Bash
Why is stopping and restarting the VM necessary when changing its service account?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .