I have a project with three VMs. I'm trying to create a condition at the project level that should limit instanceAdmin role to a single instance only, based on its name.
- I previously tried to to grant the policy at the instance level, but nothing happened; the granted user can see neither the instance, nor the project.
- Therefore I tried to grant the policy at the project level, with the condition that limits the role to only the required instance (based on its name) As far as I can read on the docs, resource name has to be declared following the name attribute format (projects/project-id/zones/zone-id/instances/instance-id): if I choose start with, and I stop at the project id (eg. projects/project-id/), then the user will see all instances from the console, which is fine. If I write the full resource name (I tried using both ID or instance name), user does not see anything.
I can't figure out how to make it happen: I'm following this guide , but it does not work on my side. Am I missing something? Moreover, why can't I simply apply the instanceAdmin role directly to the instance? Do I need some other privileges in order to list the instance on the console?