Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com

Question

This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.

The error was as follows:

ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]@appspot.gserviceaccount.com' Step #4: - '@type': type.googleapis.com/google.rpc.ResourceInfo Step #4: description: You do not have permission to act as this service account. Step #4: resourceName: [redacted]@appspot.gserviceaccount.com Step #4: resourceType: serviceAccount

When I look at https://console.cloud.google.com/cloud-build/settings/service-account Cloud build has the follow service account permissions ENABLED:

• App Engine Admin
• Cloud KMS

Checking https://console.cloud.google.com/iam-admin/iam I can see that the cloudbuild service account has the following roles:

• App Engine Admin
• App Engine Deployer
• Cloud Build Service Account
• Cloud KMS CryptoKey Decrypter

Answer 1

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx

PROJECT_NUMBER=$(gcloud projects list \
  --format="value(projectNumber)" \
  --filter="projectId=${PROJECT_ID}")

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT_ID}@appspot.gserviceaccount.com \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/iam.serviceAccountUser \
    --project=${PROJECT_ID}

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUser role. Updated Google documentation can be found here.

Answer 2

I had the same issue. For me I had to add the Service Account User role to my circle ci user in IAM. Maybe you can do the same for cloudbuild.

Answer 3

I grant Service Account User permission to my CI/CD service account. That works.

Screenshot of IAM

Screenshot of my Gitlab CI/CD configuration

Answer 4

To resolve this issue, you can add Service Account User IAM permission to your CI/CD pipeline service account.

Eg. If you're using Cloud Build, then add Service Account User role to your {project-number}@cloudbuild.gserviceaccount.com service account

Answer 5

It looks as though this question is answered with the .ActAs permission being added to the Gitlab or CircleCI account.

I haven't had occasion to test yet - if anyone else has and can post details - please do so;

This is the proposed answer from what I can gather: How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account?

Nebulastic has a very nice answer above but the {PROJECT_ID} would need to be swapped with the Gitlab or CircleCI account name, not the project named account.

Answer 6

First we go to the permission manager and select the project that we want to add permissions.; https://console.cloud.google.com/iam-admin/

Answer 7

Terraform way:

Granting service account user role to cloud sv account only on the GAE service account

data "google_app_engine_default_service_account" "app_engine_sv_account" {
  project = var.project_id
}

resource "google_service_account_iam_member" "cb-deploy-iam" {
  service_account_id = data.google_app_engine_default_service_account.app_engine_sv_account.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${var.cb_sv_account_email}"
}