Im coming from AWS not sure how to do this with gcp.
In AWS I can create an EC2 instance, Lambda, ECS, etc service role. I attach policies to that role to give it the access it needs. Then I attach the role to an EC2 instance, lambda, etc. No static keys being used, no secrets being passed around.
How do I do this with gcp? How do I attach a role (or maybe gcp service account?) to a gce instance, cloud function, gke deployment/service, etc?
GCP has "service accounts" and something it calls roles and something called "scopes" but it is not clear to me how to attach them and Grant access to reasources implicitly (without passing around secrets/keys).
For services such as Compute Engine, App Engine, etc. Google automatically creates a default service account. When you create an instance or when the instance is shutdown you can modify the privileges assigned to default service account or even change the service account used.
The default service account has a predefined name [PROJECT_NUMBER]-compute@developer.gserviceaccount.com
This link will provide more information.
You can access the credentials created by the default service account from the instance metadata. Here is an example in Python. This example load the default service account credentials for accessing Google Cloud Storage:
from google.auth import compute_engine
from google.cloud import storage
credentials = compute_engine.Credentials()
client = storage.Client(credentials=credentials, project=project)
A common strategy is to use Application Default Credentials (ADC) to automatically locate credentials:
from google.cloud import storage
client = storage.Client()
For a VM you will need to stop it first. You can follow the below steps: