Technical Theory

Creating a Debian VM with a Custom Service Account on Google Cloud

Introduction

This tutorial demonstrates how to create a Debian Linux virtual machine (VM) on Google Cloud and assign it a custom service account. Using a custom service account allows you to grant the VM specific permissions, following the principle of least privilege and enhancing security. This tutorial utilizes the gcloud CLI, which you should have installed and configured with appropriate permissions on your Google Cloud project.

Prerequisites:

  • A Google Cloud project with billing enabled.
  • The gcloud CLI installed and configured to connect to your Google Cloud project.
  • Basic familiarity with the command line and Google Cloud concepts.

Task 1: Create a Custom Service Account

First, we’ll create a custom service account that our VM will use.

  1. Open your terminal and authenticate with Google Cloud:

    NODE_TYPE // bash 
    gcloud auth login
    NODE_TYPE // output 
    You are now logged in as [[email protected]].
Your current project is [your-project-id].  You can change this by running:
  $ gcloud config set project PROJECT_ID

  2. Set your project ID (replace your-project-id with your actual project ID):

    NODE_TYPE // bash 
    gcloud config set project your-project-id
    NODE_TYPE // output 
    Updated property [core/project].

  3. Create the service account. Replace my-debian-vm-sa with the name you want to give your service account, and My Debian VM Service Account with a description:

    NODE_TYPE // bash 
    gcloud iam service-accounts create my-debian-vm-sa \
    --display-name="My Debian VM Service Account"
    NODE_TYPE // output 
    Created service account [[email protected]].
    Service account names must be lowercase and can contain hyphens. The display name is a human-readable description.

  4. (Optional) Grant the service account specific roles. For example, to allow the VM to read data from Cloud Storage:

    NODE_TYPE // bash 
    gcloud projects add-iam-policy-binding your-project-id \
    --member="serviceAccount:[email protected]" \
    --role="roles/storage.objectViewer"
    NODE_TYPE // output 
    Updated IAM policy for project [your-project-id].
bindings:
- members:
  - serviceAccount:[email protected]
  role: roles/storage.objectViewer
etag: BwVrEzkQVtI=
version: 1
    Carefully consider which roles to grant. Only grant the minimum necessary permissions to adhere to the principle of least privilege.

Task 2: Create the Debian Linux VM

Now, we’ll create the Debian Linux VM and assign it the service account we just created.

  1. Create the VM instance. Replace my-debian-vm with the desired name for your VM, and adjust the zone and machine type if necessary. This example uses the f1-micro machine type, which is eligible for the Free Tier.

    NODE_TYPE // bash 
    gcloud compute instances create my-debian-vm \
    --zone=us-central1-a \
    --machine-type=f1-micro \
    --image-family=debian-11 \
    --image-project=debian-cloud \
    --scopes=cloud-platform \
    --service-account=[email protected]
    NODE_TYPE // output 
    Created [https://www.googleapis.com/compute/v1/projects/your-project-id/zones/us-central1-a/instances/my-debian-vm].
NAME: my-debian-vm
ZONE: us-central1-a
MACHINE_TYPE: f1-micro
PREEMPTIBLE:
INTERNAL_IP: 10.128.0.2
EXTERNAL_IP: 34.123.45.67
STATUS: RUNNING
    The --scopes=cloud-platform flag allows the VM to access most Google Cloud services. If you’ve granted specific roles to the service account, you might not need this broad scope. You can use more granular scopes instead, such as --scopes=https://www.googleapis.com/auth/devstorage.read_only if you only need read access to Cloud Storage. 
    graph LR
    A[Start] --> B(gcloud compute instances create)
    B --> C{Check Parameters}
    C -- Valid --> D(Create VM Instance)
    C -- Invalid --> E(Correct Parameters)
    E --> B
    D --> F(VM Running)
    F --> G[End]

Task 3: Verify the Service Account

Let’s verify that the VM is using the service account we assigned.

  1. SSH into the VM:

    NODE_TYPE // bash 
    gcloud compute ssh my-debian-vm --zone=us-central1-a
    NODE_TYPE // output 
    ... (SSH connection established) ...
username@my-debian-vm:~$

  2. Inside the VM, use the gcloud auth list command to see the active account:

    NODE_TYPE // bash 
    gcloud auth list
    NODE_TYPE // output 
    Credentialed Accounts:
 - my-debian-vm-sa@your-project-id.iam.gserviceaccount.com (active)

To set the active account, run:
    $ gcloud config set account `ACCOUNT`

    This confirms that the VM is using the service account we created.

  3. (Optional) Verify the permissions. If you granted the roles/storage.objectViewer role, you can try listing Cloud Storage buckets:

    NODE_TYPE // bash 
    gsutil ls

    If the command executes without errors, it confirms that the service account has the necessary permissions. If you don’t have any Cloud Storage buckets, you’ll get an empty list.

    NODE_TYPE // output 
    gs://your-bucket-name/
gs://another-bucket/

  4. Exit the SSH session:

    NODE_TYPE // bash 
    exit

Conclusion

You have successfully created a Debian Linux VM on Google Cloud and assigned it a custom service account. This ensures that the VM has only the necessary permissions to perform its tasks, improving the security posture of your application. You learned how to:

  • Create a custom service account using the gcloud CLI.
  • Grant specific roles to the service account.
  • Create a Debian Linux VM and assign it the custom service account.
  • Verify the service account and its permissions within the VM.

Next Topic

Theory

Creating a Debian Linux VM with Startup Script and Custom Metadata on Google Cloud
Theory

Creating a Debian VM with Startup Script and Metadata in GCP using Terraform
Theory

Creating a VPC Network with Custom Subnets and Firewall Rules in Google Cloud