Google cloud platform GCP:从云函数启动计算引擎实例时无法设置元数据

我正在尝试从另一个GCP项目中托管的云函数启动GCP项目中的计算引擎实例。它工作得很好，但我不能添加计算引擎，我得到一个HTTP错误代码400

云函数（Node.js，带有）：

日志：

- Function execution took 2235 ms, finished with status: 'ok'
- Compute Engine instance started successfully 
- Set metadata response: {"id":"84345484841776xxxxx","name":"operation-1587175048337-5a386fcf3d737-36e59a28-332a95f5","zone":"https://www.googleapis.com/compute/v1/projects/myGcpProject/zones/us-central1-a","operationType":"setMetadata","targetLink":"https://www.googleapis.com/compute/v1/projects/myGcpProject/zones/us-central1-a/instances/myVmInstance","targetId":"48593751438611xxxxx","status":"RUNNING","user":"cloud-function@myCloudFunctionGcpProject.iam.gserviceaccount.com","progress":0,"insertTime":"2020-04-17T18:57:28.704-07:00","startTime":"2020-04-17T18:57:28.721-07:00","selfLink":"https://www.googleapis.com/compute/v1/projects/myGcpProject/zones/us-central1-a/operations/operation-1587175048337-5a386fcf3d737-36e59a28-332a95f5","kind":"compute#operation"} 
- Function execution started

当我使用SSH登录计算引擎实例时，我无法读取元数据“myMeta”（只有默认情况下的启动脚本）：

我可以看到该操作，但得到HTTP错误代码400

$ gcloud compute operations list | grep operation-1587175048337-5a386fcf3d737-36e59a28-332a95f5
operation-1587175048337-5a386fcf3d737-36e59a28-332a95f5    setMetadata    us-central1-a/instances/myVmInstance  400          DONE    2020-04-17T18:57:28.704-07:00

云功能使用的服务帐户在承载计算引擎实例的GCP中具有Compute Admin角色

---

我错过了什么

@John Hanley是对的，我需要等待操作完成

此外，即使云功能使用的服务帐户被授予托管计算引擎实例的GCP项目上的角色Compute Admin，它也需要被授予计算引擎实例使用的服务帐户上的角色

否则我会得到下面的错误

Error: The user does not have access to service account '661830xxxxxx-compute@developer.gserviceaccount.com'. User: 'cloud-function@myCloudFunctionGcpProject.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

云函数代码（Node.js）：

---

SetMetadata正在返回操作令牌。这意味着您需要等待操作完成。另外，查看您的日志消息。SetMetadata响应在VM启动消息之后打印。

$ gcloud compute operations list | grep operation-1587175048337-5a386fcf3d737-36e59a28-332a95f5
operation-1587175048337-5a386fcf3d737-36e59a28-332a95f5    setMetadata    us-central1-a/instances/myVmInstance  400          DONE    2020-04-17T18:57:28.704-07:00

Error: The user does not have access to service account '661830xxxxxx-compute@developer.gserviceaccount.com'. User: 'cloud-function@myCloudFunctionGcpProject.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account

const Compute = require('@google-cloud/compute');
const compute = new Compute({
  projectId: 'myGcpProject'
});

exports.startVmInstance = async (data, context, callback) => {
  let zone = compute.zone('us-central1-a');
  let vm = zone.vm('myVmInstance');
  let metadata = {
    'myMeta': 'myValue'
  };

  let setMetadataOperation;
  await vm.setMetadata(metadata).then((response) => {
    setMetadataOperation = response[0];
    console.info('Set metadata response: ' + JSON.stringify(response[1]));
  }).catch((error) => {
    throw 'Error while setting metadata to VM instance: ' + error;
  });

  await setMetadataOperation.promise().then(() => {
    console.info('The operation setMetadata successfully completed');
  }).catch((error) => {
    throw 'Error with the operation setMetadata: ' + error;
  });

  await vm.start().then(() => {
    console.info('Compute Engine instance started successfully');
  }).catch(error => {
    throw 'Error while starting Compute Engine instance: ' + error;
  });

  callback();
};