[v16] Update gcp discovery docs with access scopes (#47639)

* Update gcp discovery docs with access scopes * Address comments
gravitational · Oct 16, 2024 · 1d4cb05 · 1d4cb05
1 parent c9f7f5f
commit 1d4cb05
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/docs/img/server-access/guides/gcp/[email protected] b/docs/img/server-access/guides/gcp/[email protected]
diff --git a/docs/img/server-access/guides/gcp/[email protected] b/docs/img/server-access/guides/gcp/[email protected]
diff --git a/docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx b/docs/pages/enroll-resources/auto-discovery/servers/gcp-discovery.mdx
@@ -93,6 +93,12 @@ discover instances.
   your custom role. Click *Save*.
 
   ![Role assignment](../../../../img/server-access/guides/gcp/[email protected])
+
+  If the Discovery Service will run in a GCP compute instance, edit the instance and
+  assign the service account to the instance and set its access scopes to include 
+  Read Write access to the Compute API.
+
+  ![Service account assignment](../../../../img/server-access/guides/gcp/[email protected])
 </TabItem>
 <TabItem label="gcloud">
   Copy the following and paste it into a file called `teleport-discovery-role.yaml`:
@@ -131,6 +137,14 @@ discover instances.
   --member="serviceAccount:teleport-discovery@<Var name="project_id" />.iam.gserviceaccount.com" \
   --role="projects/<Var name="project_id" />/roles/teleport_discovery"
   ```
+
+  If the Discovery Service will run in a GCP compute instance, run the following command to
+  add the service account to the instance:
+  ```code
+  $ gcloud compute instances set-service-account <Var name="discovery_service_vm_name" description="Name of the instance running the Discovery Service" /> \
+  --service-account=teleport-discovery@<Var name="project_id" />.iam.gserviceaccount.com \
+  --scopes=default,compute-rw
+  ```
 </TabItem>
 </Tabs>