IAM Permission Issue When Building a Cloud Run Container

0
votes

I am currently trying to copy a development project into a production one. All of the code and files are transferred already, but the Cloud Run functions are not building.

I will provide some more information about the two project architectures, in case it might help. In the development project, we have a staging branch. Any changes pushed to this branch fires up Cloud Build triggers that do a sanity check on incoming changes and deploy the updated code. We can then merge these changes with the master branch and push, which fires additional Cloud Build triggers to copy over the code from the development project to the production one.

The error is:

ERROR: (gcloud.run.deploy) User [[email protected]] does not have permission to access namespaces instance [Project ID] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).

The [email protected] has the following permissions: App Engine Admin, BigQuery Job User, Cloud Build Service Account, Cloud Functions Admin, Cloud Functions Developer, Cloud Scheduler Admin, Editor Service Account, Token Creator Service Account User, Pub/Sub Editor, Cloud Run Admin, Secret Manager Secret Accessor, Storage Object Admin

I found a link to another question with the same issue. The accepted solution was to add the following service account and role

Email: service-<account-id>@serverless-robot-prod.iam.gserviceaccount.com
Role: Google Cloud Run Service Agent

to the IAM accounts. I tried this, and got this message: No change: member already exists on the policy.The error likely lies somewhere else.

I also noticed that the account email [email protected] was present in the development project, but not the production one. I think this might be the source of the issue, but when I try adding this account through the IAM page (changing the project-id to that of the new project), an error states: Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account.

I am not sure how to fix this issue, and any help is appreciated. Thank you!

1
google-cloud-rungoogle-cloud-buildgoogle-iam
Can you provide more detail on the project where you run your deployment, the target project, and other cross project info that you can have? There is something is cross project config to fix and we need more detail on that. - guillaume blaquiere
I added some more detail in the second paragraph. Is the added information understandable? I can try explaining it again if necessary. - p_mo

1 Answers

0
votes

You are deploying in the production project from the development project. Therefore the cloud build service account of the development project need to have the permission to deploy in the production project.

So, you need to

  • Authorize the Cloud Build service account of the development project to create/update service and revision in Cloud Run
gcloud projects add-iam-policy-binding --member=serviceAccount:[email protected] --role=roles/run.admin prod-project-id
  • Grant the Cloud Build service account of the development project to impersonate the production Cloud Run service service account (by default the compute service account)
gcloud iam service-accounts add-iam-policy-binding --member=serviceAccount:[email protected] --role=roles/iam.serviceAccountUser prod-cloud-run-service-account --project=prod-project-id

Let me know if it's enough for you.