Service Accounts and Scopes

Within your project, create a regional storage bucket and upload a single file to it.

From left menu, go to Storage → Storage, and create a regional bucket with a unique name.

When created, click on your bucket, and drag a file into the window.
Within Compute Engine, create an instance and be sure that the Storage scope is set to Read Only, then SSH into it.

Within the instance creation screen, go to Scope, choose option to manually set API access, and make sure Storage is set to Read Only. Click Create, then click the SSH button.
View the gcloud configuration info for your instance session, note that the service account is the logged in entity.
Type:
```
gcloud config list
```
From within the instance SSH session, view the contents of the storage bucket you’ve created.
Type:
```
gsutil ls gs://(your_bucket_name)
```
Copy the file in the storage bucket to your instance directory.
Type:
```
gsutil cp gs://(your_bucket_name)/* .  
```
Note that you need the period at the end of the command.
Create an empty text file in your instance, and attempt to copy the file to your storage bucket. Note the error.
Type:
```
touch file.txtgsutil cp file.txt gs://(your_bucket_name)
```
Change the Storage scope of your instance from Read to Read Write.

Stop the instance, Create a new instance, change Storage scope from Read to Read Write. SSH into the new instance.
Attempt to copy the empty text file to your storage bucket again. It should work this time.
Type:
```
gsutil cp file.txt gs://(your_bucket_name)
```