I am trying to deploy a service with a non-default service account by following this guide and it says I need "the iam.serviceAccounts.actAs permission on the service account being deployed". The service account I am using is #cloudbuild.gserviceaccount.com, but I don't see the option to add it on my project's Permissions page.
The key point is that the service account is a resource. You need to add an IAM role for your identity to the service account (the resource). This grants you permissions on the resource (service account).
Open the Google Cloud Console. Go to IAM & Admin -> Service accounts.
Find the service account. Tick the box to the left of the service account.
In the right-hand "Permissions" panel, click ADD MEMBER
Add your IAM member email address. For the role select Service Accounts -> Service Account User.
Click Save
You can also you the CLI:
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT] --member [MEMBER_EMAIL] --role roles/iam.serviceAccountUser
gcloud iam service-accounts add-iam-policy-binding
On the service account you are using, you need to give yourself the role of Service Account User.
Go to IAM -> Service Accounts -> (Your service Account) -> Permissions -> Grant Access
(By doing this you are granting yourself access to use this service account)
See also:
Unable to create a new Cloud Function - cloud-client-api-gae
Cloud Build fails to deploy to Google App Engine - You do not have permission to act as #appspot.gserviceaccount.com
Related
I have service account SA1 which is created in project1 with permission ( cloud function invoker, service account user ). i want to deploy a cloud function CF1 in project2 and specify SA1 in that cloud function as SERVICE_ACCOUNT parameter. while deploying CF1 in project2 i am getting below error even though "service account user" permission exist for this SA1 in project 1 and
SA1 is also added in project 2
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Ok], message=[Missing necessary permission iam.serviceAccounts.act As
for cloud-functions-mixer on the service account SA1.
Grant the role 'roles/iam.serviceAccountUser' to cloud-functions-mixer on the service account SA1.
It's absolutely not clear and it's a great question!
You need 2 things
Firstly, run the proposed command
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=cloud-functions-mixer --role=roles/iam.serviceAccountUser
BUT what is that cloud-functions-mixer?? In fact, it's only the account that runs the command
#for you
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=user:<your email> --role=roles/iam.serviceAccountUser
# for a service account (CI/CD pipeline for instance)
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT --member=serviceAccount:<service account email> --role=roles/iam.serviceAccountUser
Then activate the cross-project project usage, deactivated by default. You can achieve that only if you have an organisation. If you haven't, you can't go to organisation policies
Go to Organization policies
Look for Disable Cross-Project Service Account Usage
Edit, click on customize and add rule to disable the rule
Background
By default, Cloud Run uses the Compute Engine default service account which grants a broad range of permissions which are not required by the container that I'm trying to run in it, and as a result I'd like to set up a new service account.
If I understand correctly, I'd need to do the following:
Create a role with the desired set of permissions (using gcloud iam roles create)
Create a service account (using gcloud iam service-accounts create)
Bind the role permissions to the service account.
Deploy an image with the service account set up in step 2 (using gcloud run deploy --service-account).
The aforementioned documentation doesn't mention how to achieve step 3. I found the gcloud iam service-accounts add-iam-policy-binding command, but I see this is a three way binding between an user (member), a service account and a role, whereas what I've described above seems to require only a two-way binding with the permission grant to the Cloud Run service occurring in the fourth step.
Questions
Do I have the right understanding with regards to the steps required to set up a custom service account for Cloud Run to use?
Assuming I have understood this correctly, what would be the correct way to set up the binding of permissions with the service account?
You can use a custom role in addition of user managed service account, but it's not mandatory. You can also create a user managed service account and bind it with predefined roles.
Anyway, if you want to bind a custom role to a service account (or a user account, no difference), you have to use the fully qualified path for the role
# Project level
projects/<projectID>/roles/<custom role name>
# Organization level
organizations/<organizationID>/roles/<custom role name>
And the gcloud command can be this one
gcloud projects add-iam-policy-binding <projectID> \
--member=serviceAccount:<service account email> \
--role=projects/<projectID>/roles/<custom role name>
The PubSub service account is service-<PROJECT_NUMBER>#gcp-sa-pubsub.iam.gserviceaccount.com
The command described here to create an IAM policy binding succeeds, which shows that the service account exists.
But it does not appear in
the list of service accounts in the console https://console.cloud.google.com/iam-admin/serviceaccounts?project=<PROJECT> (screenshot below)
nor in the IAM permissions list https://console.cloud.google.com/iam-admin/iam?project=<PROJECT> , even when I check "Include Google-provided role grants"
nor in the output of gcloud iam service-accounts list --project <PROJECT>.
Where can I see this service account listed?
The service-<PROJECT_NUMBER>#gcp-sa-pubsub.iam.gserviceaccount.com is a Google managed service account, therefore, you can see it in the list YOUR PROJECT service accounts.
In addition, you have granted this service account on a TOPIC resource and not on a PROJECT resource. Therefore, when you go on the iam-admin page, you can see the service account at the PROJECT ressource.
Anyway, you could be able to view it in the iam-admin page by checking Include Google-provided role grants
Because you have granted the service account at TOPIC resource level, you can see it in the TOPIC page
Go to the topic page, check a topic and go to the right-hand panel, in the permission section and look at the role that you grant on the service account. You will find it
The documentation for the Service Account User role is a bit confusing.
https://cloud.google.com/iam/docs/service-accounts#user-role
Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access. For example, if a service account has been granted the Compute Admin role (roles/compute.admin), a user that has been granted the Service Account Users role (roles/iam.serviceAccountUser) on that service account can act as the service account to start a Compute Engine instance. In this flow, the user impersonates the service account to perform any tasks using its granted roles and permissions.
Based on this, I assume that by granting my account the Service Account User role on a service account that is owner, I should be able to impersonate that service account from the command line and run gcloud commands with the inherited permissions of the service account
gcloud init # login to my account that has the user role on the SA
gcloud set config auth/impersonate_service_account <service-account-email>
gcloud compute instances list
> WARNING: This command is using service account impersonation. All API calls will be executed as [<service-account>#<project>.iam.gserviceaccount.com].
> ERROR: (gcloud.compute.instances.list) Failed to impersonate [<service-account>#<project>.iam.gserviceaccount.com]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.
So I removed the User role and assigned myself the Token Creator role. Works as expected. Why does the description for the User role sound like its the role I'm meant to be using but it seems like Token Creator is the only one I need?
So despite the confusion of the GCP docs, I think I was able to reach a conclusion on the difference between:
Service Account User
Service Account Token Creator
As an example, if I wanted to deploy a GKE cluster but specify a service account for the nodes to use other than the default service account I would add the flag:
gcloud containers cluster create my-cluster --service-account=<service-account>
For me to do this I would at a minimum require Service Account User on the service account I am attempting to assign to the resources. This role appears to also be used in other cases such as executing code on a VM and using the VMs identity instead(??).
If I wanted to deploy the cluster using the service account credentials (ie. Not my own account), I would use impersonation which requires the Token Creator role. I might want to do this because my personal account doesn't have permission to deploy clusters but the SA does.
gcloud containers cluster create my-cluster --impersonate-service-account=<service-account>
This would build the cluster and log the action as that of the service account, not my personal account.
Please correct me if I'm wrong.
I am using service account credential to deploy cloud function to GCP. I got a permission error:
Error: googleapi: Error 403: Missing necessary permission iam.serviceAccounts.actAs for $MEMBER on the service account
I open the service account permission in GCP but I can't find where I can add the role to the account.
Below is the screenshot of the service account. There is GRANT ACCESS button but it is used to grant member access to this account. How can I add roles on the role list?
Recapping what John said:
You do not need to grant permissions to the Service Account.
You need to grant permission to user so that they can act as that Service Account.
TL;DR:
On the screen you provided, select Grant access, enter username and pick Service Account User role.