Permission Denied at 2AM: My Wild Ride Through IAM, Service Accounts, and VPC Flow Logs
Somewhere between my third coffee and the fourth “why is this not working?” moment, I realized cloud security isn’t just about knowing commands — it’s about surviving the tiny, sneaky mistakes that hide like cockroaches in dark corners.
Seriously. One missing permission. Just one. Whole system stuck like a bike chain jammed in the gears.
Anyway… let me rewind a bit.
The Cursor That Wouldn’t Blink Fast Enough
You know that moment when the terminal just sits there, blinking, quiet… like it knows something you don’t?
That was the vibe.
Started off with IAM roles. Pretty straightforward on paper — assign roles, switch users, check permissions, repeat. Classic cloud stuff. The kind that looks neat in tutorials but turns into spaghetti when you’re doing it for real.
First user: full admin power.
Second user: viewer-only — the so-called “devops user.”
Switching between those two felt like changing masks in some low-budget hacker movie. One second you’re the boss. Next second you’re locked out of your own house, metaphorically speaking.
And yeah — things worked… until they didn’t.
Ah Yes. The Famous Permission Denied
Typed the command.
Pressed Enter.
Boom.
Permission denied.
Not dramatic. Not fancy. Just blunt. Like a slap from reality.
Tried again — maybe typo?
Checked syntax — nope, clean.
Switched zones — still nope.
At some point I started blaming the cloud itself, which is ridiculous, but also kind of comforting. Like yelling at traffic lights.
Turns out — and this still makes me chuckle — the whole thing boiled down to a missing service account permission. One line. One single permission buried in the weeds like a landmine.
Added it. Ran the command again.
And just like that… the instance spun up.
No fireworks. No applause. Just quiet success.
But wow — that feeling. Felt like cracking a safe.
Writing My Own Role Felt Weirdly Powerful
There’s something about custom roles that hits different.
Predefined roles are fine, sure. But writing your own permissions? That’s like cooking instead of ordering takeout.
Pulled up the role definition file. Started listing permissions — compute.instances.create, disks, metadata — the usual suspects.
Saved it. Applied it.
Watched the policy bind successfully.
Not gonna lie, I leaned back in the chair a bit like I had just hacked into NASA. Obviously didn’t. But the brain likes to pretend sometimes.
Identity Switching Like a Spy With a Budget Laptop
Back and forth. Default user. User2. Default again.
Felt like running undercover operations, except instead of secret messages it was terminal commands and IAM bindings.
At one point, the viewer account tried to create an instance — and failed exactly the way it was supposed to.
Which sounds like failure, but actually? That’s success.
Security working properly looks like frustration. Funny how that works.
Enter VPC Flow Logs — Watching Traffic Like It’s Alive
After all the IAM gymnastics, things shifted into networking territory.
Custom VPC created.
Subnet configured.
Firewall rules added.
Launched an Apache server — nothing fancy, just a simple “Hello World” page.
But behind that tiny web page… packets moving. Requests bouncing around. Logs quietly stacking up like receipts in your wallet.
Clicked the external IP.
And there it was.
Hello World
Plain text. No glamour. Still satisfying.
Like the first time you fix something mechanical and it doesn’t fall apart.
The Moment Logs Started Talking
Opened Logs Explorer.
Filtered by subnetwork.
Typed in my own IP address.
And there it was — lines of traffic data. Source IP, destination ports, protocol numbers. All laid out like forensic evidence at a crime scene.
Honestly, that part felt wild.
Every click. Every request. Logged somewhere. Stored. Waiting to be read.
Makes you think twice about how noisy the internet really is.
BigQuery — Where Logs Become Stories
Logs are messy. Chaotic. Like scribbles on a napkin.
So exporting them into BigQuery felt like organizing chaos into something readable.
Ran SQL queries — grouped connections, summed bytes, sorted traffic.
Suddenly, instead of noise, there were patterns.
Top IP addresses. Traffic flows. Numbers telling stories.
That’s when it clicked.
Security isn’t just about blocking attacks — it’s about understanding behavior.
Watching movement. Reading patterns. Connecting dots.
Kind of like detective work… but with more coffee.
The Tiny Fix That Made Everything Move Again
There was this one moment — small, quiet — where everything suddenly worked.
Permissions fixed. Instances running. Logs flowing. Queries returning results.
No celebration. Just relief.
You sit there, stare at the screen, and think:
“Okay… that actually worked.”
And weirdly, those moments feel bigger than flashy wins.
Because you earned them.
Things I Learned the Hard Way (Naturally)
Not from slides. Not from videos.
From messing up.
From retrying commands. From chasing permission errors through layers of IAM like trying to find your keys when you’re already late.
Here’s what stuck with me:
Permissions are everything.
Logs are gold.
Service accounts matter more than you think.
And sometimes — honestly — the biggest obstacle isn’t the system… it’s the one missing checkbox you didn’t notice.
Yeah. That happens more than people admit.
Somewhere Between Errors and Fixes, It Started Making Sense
Cloud security used to feel abstract. Like diagrams on whiteboards and buzzwords tossed around in conference talks.
Now? It feels tangible.
You build networks.
You break permissions.
You fix them.
You watch traffic flow.
You learn.
Slowly. Messily. Occasionally with a headache.
But steadily.
And that blinking cursor — the one that used to feel intimidating — starts to feel like an invitation.
Not a threat.
Just a starting point.