I created a custom role from the deployment manager editor role, and I used this role with service account which gives this service account access to create resources using deployment manager in GCP but it doesn't require to add "service account user(roles/iam.serviceAccountUser)" role to this service account, but when I created role to create custom images using packer and used this role with another service account, "service account user" role is required, please let me know why "service account user" is not required when I'm using deployment manager to create resources?
1
votes
Please explain "but when I created role to create custom images using packer and used this role with another service account" part. Do you use two different service accounts - one for Deployment Manager and second for Packer ?
- Wojtek_B
yes, there are two different service accounts, one for the packer and one for deployment manager but the packer requires a "service account user" role but the other service account for deployment manager do not require a service account user role.
- hritz220
1 Answers
1
votes
why "service account user" is not required when I'm using deployment manager to create resources?
Deployment Manager uses the credentials of the Google APIs service account for permissions to access resources. That identity has the permissions of the role Editor which includes the permission iam.serviceAccounts.actAs.
The service account name is: [PROJECT_NUMBER]@cloudservices.gserviceaccount.com
To list the roles modify and use this command:
gcloud projects get-iam-policy <PROEJCT_ID> \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:<SERVICE_ACCOUNT>"
