10

I am trying to deploy a service with a non-default service account by following this guide and it says I need "the iam.serviceAccounts.actAs permission on the service account being deployed". The service account I am using is @cloudbuild.gserviceaccount.com, but I don't see the option to add it on my project's Permissions page.

John Hanley
  • 44,336
  • 6
  • 35
  • 81
sdfsdf
  • 3,149
  • 3
  • 25
  • 52

1 Answers1

15

The key point is that the service account is a resource. You need to add an IAM role for your identity to the service account (the resource). This grants you permissions on the resource (service account).

  • Open the Google Cloud Console. Go to IAM & Admin -> Service accounts.

  • Find the service account. Tick the box to the left of the service account.

  • In the right-hand "Permissions" panel, click ADD MEMBER

  • Add your IAM member email address. For the role select Service Accounts -> Service Account User.

  • Click Save

You can also you the CLI:

gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT] --member [MEMBER_EMAIL] --role roles/iam.serviceAccountUser

gcloud iam service-accounts add-iam-policy-binding

John Hanley
  • 44,336
  • 6
  • 35
  • 81
  • For Cloud Run specifically, I need to add permissions to `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com` (according to [this guide](https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#building_and_deploying_a_container)) and I don't see that on the Service accounts page, but I do see it on the IAM page. I have already added a `Secret Manager Admin` role to my cloud build service account, but my deployed container cannot access the Secret Manager – sdfsdf Apr 21 '20 at 05:39
  • 1
    That service account is the "Compute Engine default service account". It has to be there under "Service accounts". This is created by Google for you. Go back and look again. If you deleted it, contact Google support. The entry under "IAM" is for the project (granting permissions to the service account to resources in the project) and not for the service account resource. https://cloud.google.com/compute/docs/access/service-accounts#default_service_account – John Hanley Apr 21 '20 at 05:56
  • for some reason, the CLI command in the answer fails from my Ubuntu. This works: `gcloud iam service-accounts add-iam-policy-binding 89random-compute@developer.gserviceaccount.com --member='user:kmonsoor@example.com' --role='roles/iam.serviceAccountUser'` Note the extra "=user:" thing. – kmonsoor Dec 27 '20 at 01:39
  • 2
    @kmonsoor - Your comment is correct. For users, prepend the email address with `user:`, for service accounts prepend with `serviceAccount:`, etc. There are additional types such as group, domain, etc. This is documented in the link in my answer. – John Hanley Dec 27 '20 at 23:43