Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
Question
I have created a custom service account travisci-deployer@PROJECT_ID.iam.gserviceaccount.com on my project and gave it the Cloud Run Admin role:
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
--role="roles/run.admin"
Then I set this service account as the identity for my gcloud commands:
gcloud auth activate-service-account --key-file=google-key.json
But when I ran gcloud beta run deploy command, I got an error about the "Compute Engine default service account" not having iam.serviceAccounts.actAs permission:
gcloud beta run deploy -q "${SERVICE_NAME}" \
--image="${CONTAINER_IMAGE}" \
--allow-unauthenticated
Deploying container to Cloud Run service [$APP_NAME] in project [$PROJECT_ID] region [us-central1]
Deploying...
Deployment failed
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs'
denied on service account 1075231960084-compute@developer.gserviceaccount.com
This seems weird to me (because I'm not using the GCE default service account identity, although it's used by Cloud Run app once the app is deployed).
So the 1075231960084-compute@developer.gserviceaccount.com account is being used for the API call, and not my travisci-deployer@PROJECT_ID.iam.gserviceacount service account configured on gcloud ?
How can I address this?
5 answers
solution1
18 ACCPTED 2019-04-22 03:48:06
TLDR: Add Cloud Run Admin and Service Account User roles to your service account .
If we read the docs in detail for the IAM Reference page for Cloud Run which is found here , we find the following text:
A user needs the following permissions to deploy new Cloud Run services or revisions:
run.services.createandrun.services.updateon the project level. Typically assigned through theroles/run.adminrole. It can be changed in the project permissions admin page.iam.serviceAccounts.actAsfor the Cloud Run runtime service account. By default, this isPROJECT_NUMBER-compute@developer.gserviceaccount.com. The permission is typically assigned through theroles/iam.serviceAccountUserrole.
I think these extra steps explain the story as you see it.
solution2
8 2019-08-28 09:37:37
Adding Cloud Run Admin and Service Account User roles to my own service account fixed this for me. See step 2 in the docs here: https://cloud.google.com/run/docs/continuous-deployment#continuous
solution3
0 2021-11-15 19:24:43
Though you can resolve this particular error by granting the account permission to act as the Compute Engine default service account, it goes against the "best practices" advice :
By default, Cloud Run services run as the default Compute Engine service account. However, Google recommends using a user-managed service account with the most minimal set of permissions. Learn how to deploy Cloud Run services with user-managed service accounts in the Cloud Run service identity documentation.
You can indicate which service account identity the Cloud Run deployment will assume like so:
gcloud run deploy -q "${SERVICE_NAME}" \
--image="${CONTAINER_IMAGE}" \
--allow-unauthenticated \
--service-account "${SERVICE_ACCOUNT_EMAIL}"
solution4
0 2022-01-21 10:28:35
You need to add "Service Account User" role to your service account :
solution5
-2 2019-04-22 03:47:01
Currently, in beta, all Cloud Run services run as the default compute account (The same as the Google Compute Engine default service account).
The ability to run services as a different service account will be available in a future release.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.