Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com

45
votes

This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.

The error was as follows:

ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]@appspot.gserviceaccount.com' Step #4: - '@type': type.googleapis.com/google.rpc.ResourceInfo Step #4: description: You do not have permission to act as this service account. Step #4: resourceName: [redacted]@appspot.gserviceaccount.com Step #4: resourceType: serviceAccount

When I look at https://console.cloud.google.com/cloud-build/settings/service-account Cloud build has the follow service account permissions ENABLED:

  • App Engine Admin
  • Cloud KMS

Checking https://console.cloud.google.com/iam-admin/iam I can see that the cloudbuild service account has the following roles:

  • App Engine Admin
  • App Engine Deployer
  • Cloud Build Service Account
  • Cloud KMS CryptoKey Decrypter
6
google-app-enginegoogle-cloud-platformservice-accountsgoogle-cloud-build
Hi @LawsonTaylor considering the error message you are seeing, it might be related to the fact that the default Cloud Build service account does not allow access to deploy App Engine. Could you please follow the steps here to give deployer permission to your Cloud Build service account?gso_gabriel
@gso_gabriel For my projects, this has been working fine for quite some time, but stopped working this morning. This doc may need to be updated: cloud.google.com/cloud-build/docs/deploying-builds/… - I only had the "App Engine Admin" permission as indicated by the doc. I added the "App Engine Deployer" IAM Permission as your link suggested, and it still doesn't work.Albert
Just to add more details, this is definitely a recent change/regression in GCP. My build account previously had the App Engine Deployer role, but started failing with a recent build. I had to use @Nebulastic 's answer to fix. Would be nice if the App Engine team could comment with a bug number - seems very strange that having "App Engine Deployer" role alone is no longer enough to actually deploy App Engine.adevine

6 Answers

39
votes

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx

PROJECT_NUMBER=$(gcloud projects list \
  --format="value(projectNumber)" \
  --filter="projectId=${PROJECT_ID}")

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT_ID}@appspot.gserviceaccount.com \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/iam.serviceAccountUser \
    --project=${PROJECT_ID}

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUser role. Updated Google documentation can be found here.

19
votes

I had the same issue. For me I had to add the Service Account User role to my circle ci user in IAM. Maybe you can do the same for cloudbuild.

10
votes

I grant Service Account User permission to my CI/CD service account. That works.

Screenshot of IAM Screenshot of IAM

Screenshot of my Gitlab CI/CD configuration Screenshot of my Gitlab CI/CD configuration

2
votes

To resolve this issue, you can add Service Account User IAM permission to your CI/CD pipeline service account.

Eg. If you're using Cloud Build, then add Service Account User role to your {project-number}@cloudbuild.gserviceaccount.com service account

2
votes

First we go to the permission manager and select the project that we want to add permissions.; https://console.cloud.google.com/iam-admin/

enter image description here

enter image description here

enter image description here

enter image description here

-1
votes

It looks as though this question is answered with the .ActAs permission being added to the Gitlab or CircleCI account.

I haven't had occasion to test yet - if anyone else has and can post details - please do so;

This is the proposed answer from what I can gather: How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account?

Nebulastic has a very nice answer above but the {PROJECT_ID} would need to be swapped with the Gitlab or CircleCI account name, not the project named account.