Gave Google Cloud Run Admin role to person X but get permission denied on helloWorld

0
votes

I gave someone access to Cloud Run as an Admin but he still could not run the Google Cloud Run helloworld due to permissions. After that, I then just temporarily gave him Owner access to the whole project and he no longer got permission denied and everything worked fine. Clearly, I don't want him to just have full access to the project. How to give fine grained permissions so he can deploy new apps in Cloud Run?

This is for Cloud Run, not Anthos. My colleague is trying to deploy and run helloworld found here https://cloud.google.com/run/docs/quickstarts/build-and-deploy.

2
google-cloud-platformgoogle-cloud-run
@steren's answer is correct for managing Cloud Run Managed. To help future readers, define what you mean by access. There is two types: 1) to manage a Cloud Run service; 2) to connect to your application running as a container in Cloud Run. Also clarify if you are asking about Cloud Run Managed or Cloud Run Anthos (Kubernetes).John Hanley
thanks @JohnHanley I added more detail. Unfortunately Steren's answer is not working for some reason.Dean Hiller
Steren's answer is correct. Something must be missing or mis-configured. Show which roles you have assigned to the IAM member ID in your question. Also, is the user using User Credentials or a Service Account. What tools is the user using? More details please.John Hanley
definitely, I'll have to follow up next week when I meet up with him again.Dean Hiller

2 Answers

3
votes

See here for the list of permissions needed to deploy.

You can grant these two roles:

  1. "Cloud Run Admin"
  2. "Service Account User"
0
votes

Cloud Run Admin has two of the permissions necessary for deploying Cloud Run services ('run.services.create' and 'run.services.update'). However, according to the Cloud Run documentation you will need the additional 'iam.serviceAccounts.actAs' permission associated with the service account

This permission can be granted through the 'roles/iam.serviceAccountUser' role (Service Account User)

It seems there is an additional project permission in Cloud Admin role needed by the Cloud Run environment so Also add the Project Editor role to the user account.