Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com

Question

This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.

The error was as follows:

ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]@appspot.gserviceaccount.com' Step #4: - '@type': type.googleapis.com/google.rpc.ResourceInfo Step #4: description: You do not have permission to act as this service account. Step #4: resourceName: [redacted]@appspot.gserviceaccount.com Step #4: resourceType: serviceAccount

When I look at https://console.cloud.google.com/cloud-build/settings/service-account Cloud build has the follow service account permissions ENABLED:

• App Engine Admin
• Cloud KMS

Checking https://console.cloud.google.com/iam-admin/iam I can see that the cloudbuild service account has the following roles:

• App Engine Admin
• App Engine Deployer
• Cloud Build Service Account
• Cloud KMS CryptoKey Decrypter

Answer 1

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx  PROJECT_NUMBER=$(gcloud projects list \   --format="value(projectNumber)" \   --filter="projectId=${PROJECT_ID}")  gcloud iam service-accounts add-iam-policy-binding \     ${PROJECT_ID}@appspot.gserviceaccount.com \     --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \     --role=roles/iam.serviceAccountUser \     --project=${PROJECT_ID} 

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUser role. Updated Google documentation can be found here.