Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error

Tags:

docker

google-cloud-platform

gcloud

google-cloud-run

google-iam

I have created a custom service account travisci-deployer@PROJECT_ID.iam.gserviceaccount.com on my project and gave it the Cloud Run Admin role:

gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
   --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
   --role="roles/run.admin"

Then I set this service account as the identity for my gcloud commands:

gcloud auth activate-service-account --key-file=google-key.json

But when I ran gcloud beta run deploy command, I got an error about the "Compute Engine default service account" not having iam.serviceAccounts.actAs permission:

gcloud beta run deploy -q "${SERVICE_NAME}" \
  --image="${CONTAINER_IMAGE}" \
  --allow-unauthenticated

Deploying container to Cloud Run service [$APP_NAME] in project [$PROJECT_ID] region [us-central1]
Deploying...
Deployment failed
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs'
denied on service account [email protected]

This seems weird to me (because I'm not using the GCE default service account identity, although it's used by Cloud Run app once the app is deployed).

So the [email protected] account is being used for the API call, and not my travisci-deployer@PROJECT_ID.iam.gserviceacount service account configured on gcloud?

How can I address this?

like image 341
ahmet alp balkan Avatar asked Apr 22 '19 03:04

ahmet alp balkan

2 Answers

TLDR: Add Cloud Run Admin and Service Account User roles to your service account.

If we read the docs in detail for the IAM Reference page for Cloud Run which is found here, we find the following text:

A user needs the following permissions to deploy new Cloud Run services or revisions:

  • run.services.create and run.services.update on the project level. Typically assigned through the roles/run.admin role. It can be changed in the project permissions admin page.
  • iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is [email protected]. The permission is typically assigned through the roles/iam.serviceAccountUser role.

I think these extra steps explain the story as you see it.

like image 50
Kolban Avatar answered Sep 21 '22 19:09

Kolban

Adding Cloud Run Admin and Service Account User roles to my own service account fixed this for me. See step 2 in the docs here: https://cloud.google.com/run/docs/continuous-deployment#continuous

like image 20
Tobi Avatar answered Sep 24 '22 19:09

Tobi
Sign in to Comment

Related questions

How to add a file to an image in Dockerfile without using the ADD or COPY directive
How to connect to local MySQL server through Docker?
How do you set-up Mongo replica set on Kubernetes?
Best practice for connecting to a vpn though docker [closed]
Connecting to docker-in-docker from a GitLab CI runner
How to achieve a rolling update with docker-compose?
Is there a way to directly deploy a container from docker hub to google compute engine?
How to pass GitLab CI file variable to Dockerfile and docker container?
Dockerfile: Benefits of repeated apt cache cleans
How to clone a Git repository from a Docker container
Postgres Docker image is not creating database with custom name
Error response from daemon: Drive has not been shared
How to change the nginx process user of the official docker image nginx?
How to connect to a MySQL Docker Container via SSH?
Docker and Java - FontConfiguration issue
How to define root volume size in AWS batch
Docker-compose tagging and pushing
When using Docker, ESTABLISHED connections don't appear in netstat
Docker warning: failed to get default registry endpoint from daemon
How to get the list of docker images from Azure private registry

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!