Service accounts for instances

[dtretyakov]

By @mayacdoit in https://github.com/JetBrains/teamcity-google-agent/issues/12#issuecomment-350654807:

We need to work with gsutil. From the main image there is no issue to run gsutil. From the agents started with teamcity I get: "ServiceException: 401 Anonymous users does not have storage.objects.list access to bucket mybucket" When launching an image manually gsutil works fine. Digging a bit on the internet didn't help finding a solution.

[dtretyakov]

@mayacdoit, could you please share a bit more details where and how did you executed gsutil in this scenario?

[mayacdoit]

I'm trying to run "gsutil cp gs://from-bucket/file.war ." for example. I was trying to run it a build step on teamcity with google-cloud-agent. At first I was running it under the teamcity user 'agentuser' but I also ssh into the instance and it fails on other users as well. For testing, I launched through google cloud ui an instance from the same image Teamcity uses and from there I was able to run gsutil cp. I've added that instance as an agent and it works fine running gsutil as a build step. Hope it's clear

[dtretyakov]

@mayacdoit, I found in docs that to credentials will be automatically provided for cloud instance if service account and scope will be specified on instance start time: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using

So we need to add ability to customize it in this plugin.

[dtretyakov]

@mayacdoit, you could download the latest plugin version where it was fixed: https://plugins.jetbrains.com/plugin/9704-google-cloud-agents