An easy workaround for the scope issue is to set a custom service account when creating the instance (template). You can then modify the IAM roles for that service account without having to take the instance offline. Allow that service account to have full access to all APIs on the instance level, then fine-tune what's actually possible through IAM Roles.
No comments yet.