Askar
Askar

Reputation: 523

User manage Service Account to deploy CloudRun instance

I need your help please. I am not able to find out what I am missing. I created user managed SA and provided roles

roles/run.admin 
roles/iam.serviceAccountUser 

enter image description here

but somehow I am not able to see it when creating service:

enter image description here

I also added impersonation to default compute SA.

enter image description here

I am pushing changes via terraform:

resource "google_service_account" "sa-deployer" {
  project      = local.project_id
  account_id   = "${local.env}-sa-deployer-tf"
  display_name = "Service Account to deploy CloudRun instance"
}

resource "google_service_account_iam_member" "gce-default-account-iam" {
  service_account_id = data.google_compute_default_service_account.default.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.sa-deployer.email}"

  depends_on = [
    google_service_account.sa-deployer
  ]
}

resource "google_project_iam_binding" "sa-deployer-run-admin" {
  project = local.project_id
  role    = "roles/run.admin"

  members = [
    "serviceAccount:${google_service_account.sa-deployer.email}",
  ]

  depends_on = [
    google_service_account.sa-deployer
  ]
}

resource "google_project_iam_binding" "sa-deployer-build-admin" {
  project = local.project_id
  role    = "roles/cloudbuild.builds.builder"

  members = [
    "serviceAccount:${google_service_account.sa-deployer.email}",
  ]

  depends_on = [
    google_service_account.sa-deployer
  ]
}

Upvotes: 1

Views: 315

Answers (2)

To allow a user to manage service accounts, grant one of the following roles:

Service Account User (roles/iam.serviceAccountUser): Includes permissions to list service accounts, get details about a service account, and impersonate a service account.

Service Account Admin (roles/iam.serviceAccountAdmin): Includes permissions to list service accounts and get details about a service account. Also includes permissions to create, update, and delete service accounts, and to view or change the IAM policy on a service account.

To learn more about these roles, see Service Accounts roles.

IAM basic roles(roles/viewer, roles/editor) also contain permissions to manage service accounts. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.

For more information refer to the following documentations.

  1. Permissions to manage service accounts.
  2. Listing service accounts.

Upvotes: 1

guillaume blaquiere
guillaume blaquiere

Reputation: 76000

The current user must be serviceAccountUser to be able to list the service account on the project.

Upvotes: 1

Related Questions