OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error

  • Thread starter Thread starter ahmet alp balkan
  • Start date Start date
A

ahmet alp balkan

Guest
I have created a custom service account travisci-deployer@PROJECT_ID.iam.gserviceaccount.com on my project and gave it the Cloud Run Admin role:

Code:
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
   --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
   --role="roles/run.admin"

Then I set this service account as the identity for my gcloud commands:

Code:
gcloud auth activate-service-account --key-file=google-key.json

But when I ran gcloud beta run deploy command, I got an error about the "Compute Engine default service account" not having iam.serviceAccounts.actAs permission:

Code:
gcloud beta run deploy -q "${SERVICE_NAME}" \
  --image="${CONTAINER_IMAGE}" \
  --allow-unauthenticated

Code:
Deploying container to Cloud Run service [$APP_NAME] in project [$PROJECT_ID] region [us-central1]
Deploying...
Deployment failed
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs'
denied on service account [email protected]

This seems weird to me (because I'm not using the GCE default service account identity, although it's used by Cloud Run app once the app is deployed).

So the [email protected] account is being used for the API call, and not my travisci-deployer@PROJECT_ID.iam.gserviceacount service account configured on gcloud?

How can I address this?
<p>I have created a custom service account <code>travisci-deployer@PROJECT_ID.iam.gserviceaccount.com</code> on my project and gave it the <strong>Cloud Run Admin</strong> role:</p>

<pre class="lang-sh prettyprint-override"><code>gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
--role="roles/run.admin"
</code></pre>

<p>Then I set this service account as the identity for my gcloud commands:</p>

<pre class="lang-sh prettyprint-override"><code>gcloud auth activate-service-account --key-file=google-key.json
</code></pre>

<p>But when I ran <code>gcloud beta run deploy</code> command, I got an error about the "Compute Engine default service account" not having <code>iam.serviceAccounts.actAs</code> permission:</p>

<pre class="lang-sh prettyprint-override"><code>gcloud beta run deploy -q "${SERVICE_NAME}" \
--image="${CONTAINER_IMAGE}" \
--allow-unauthenticated
</code></pre>

<pre><code>Deploying container to Cloud Run service [$APP_NAME] in project [$PROJECT_ID] region [us-central1]
Deploying...
Deployment failed
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs'
denied on service account [email protected]
</code></pre>

<p>This seems weird to me (because I'm not using the GCE default service account identity, although it's used by Cloud Run app once the app is deployed).</p>

<p>So the <code>[email protected]</code> account is being used for the API call, and not my <code>travisci-deployer@PROJECT_ID.iam.gserviceacount</code> service account configured on <code>gcloud</code>?</p>

<p>How can I address this?</p>
Continue reading...
 

Latest posts

Top