How to Resolve “Compute Engine System Service Account Missing start/stop Permissions” Error in GCP Instance Scheduler


2 views

When working with Google Cloud's Instance Scheduler, many developers encounter this specific permission error because they misunderstand the authentication flow. The error occurs not because your user service account lacks permissions, but because the Compute Engine System service account (service-{PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com) needs explicit permissions.

The following IAM roles must be assigned to both accounts:

# For your user service account (the one triggering the scheduler)
roles/compute.instanceAdmin.v1
roles/iam.serviceAccountUser

# For the Compute Engine System service account
roles/compute.instanceAdmin.v1

Here's how to properly configure the permissions through gcloud CLI:

# 1. Identify your Compute Engine System service account
PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
SYSTEM_ACCOUNT="service-${PROJECT_NUMBER}@compute-system.iam.gserviceaccount.com"

# 2. Grant the necessary roles
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:${SYSTEM_ACCOUNT}" \
    --role="roles/compute.instanceAdmin.v1"

# 3. Verify the permissions
gcloud projects get-iam-policy $PROJECT_ID \
    --flatten="bindings[].members" \
    --format="table(bindings.role)" \
    --filter="bindings.members:${SYSTEM_ACCOUNT}"

• Don't confuse the Compute Engine System service account with the Compute Engine default service account
• The system account is automatically created by GCP and has a specific naming pattern
• Permission changes may take 1-2 minutes to propagate

After applying these changes, test the scheduler with this sample API call:

curl -X POST \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H "Content-Type: application/json" \
  "https://compute.googleapis.com/compute/v1/projects/${PROJECT_ID}/zones/${ZONE}/instances/${INSTANCE_NAME}/start"

If issues persist:
1. Check Cloud Logging for detailed error messages
2. Verify the IAM policy binding was successfully created
3. Ensure you're using the correct project ID and zone

When working with Google Cloud's Instance Scheduler, many developers encounter this specific permission error because the Compute Engine System service account (different from user-managed service accounts) requires explicit permissions for instance lifecycle operations.

While you've correctly assigned Compute Instance Administrator and Compute Administrator roles to your user-managed service account, the error references the system-managed service account (format: service-project-number@compute-system.iam.gserviceaccount.com). This account requires:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:service-project-number@compute-system.iam.gserviceaccount.com" \
    --role="roles/compute.instanceAdmin.v1"

First identify your Compute Engine system service account:

gcloud projects get-iam-policy PROJECT_ID \
    --filter="bindings.members:service-*@compute-system.iam.gserviceaccount.com" \
    --format="table(bindings.members)"

For infrastructure-as-code users, here's how to grant permissions:

resource "google_project_iam_member" "compute_system_admin" {
  project = var.project_id
  role    = "roles/compute.instanceAdmin.v1"
  member  = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
  • Ensure you're modifying the system service account, not your custom service account
  • The account format must include your project number, not project ID
  • Changes may take 1-2 minutes to propagate

If you prefer not to modify the system account, you can configure the scheduler to use a custom service account:

gcloud beta compute instance-schedules create SCHEDULE_NAME \
    --vm-start-schedule="0 9 * * *" \
    --vm-stop-schedule="0 17 * * *" \
    --timezone="UTC" \
    --service-account="custom-sa@project-id.iam.gserviceaccount.com"