Reputation: 523
User manage Service Account to deploy CloudRun instance
I need your help please. I am not able to find out what I am missing. I created user managed SA and provided roles
roles/run.admin
roles/iam.serviceAccountUser
but somehow I am not able to see it when creating service:
I also added impersonation to default compute SA.
I am pushing changes via terraform:
resource "google_service_account" "sa-deployer" {
project = local.project_id
account_id = "${local.env}-sa-deployer-tf"
display_name = "Service Account to deploy CloudRun instance"
}
resource "google_service_account_iam_member" "gce-default-account-iam" {
service_account_id = data.google_compute_default_service_account.default.name
role = "roles/iam.serviceAccountUser"
member = "serviceAccount:${google_service_account.sa-deployer.email}"
depends_on = [
google_service_account.sa-deployer
]
}
resource "google_project_iam_binding" "sa-deployer-run-admin" {
project = local.project_id
role = "roles/run.admin"
members = [
"serviceAccount:${google_service_account.sa-deployer.email}",
]
depends_on = [
google_service_account.sa-deployer
]
}
resource "google_project_iam_binding" "sa-deployer-build-admin" {
project = local.project_id
role = "roles/cloudbuild.builds.builder"
members = [
"serviceAccount:${google_service_account.sa-deployer.email}",
]
depends_on = [
google_service_account.sa-deployer
]
}
Upvotes: 1
Views: 315
Answers (2)
Reputation: 702
To allow a user to manage service accounts, grant one of the following roles:
Service Account User (roles/iam.serviceAccountUser): Includes permissions to list service accounts, get details about a service account, and impersonate a service account.
Service Account Admin (roles/iam.serviceAccountAdmin): Includes permissions to list service accounts and get details about a service account. Also includes permissions to create, update, and delete service accounts, and to view or change the IAM policy on a service account.
To learn more about these roles, see Service Accounts roles.
IAM basic roles(roles/viewer, roles/editor) also contain permissions to manage service accounts. You should not grant basic roles in a production environment, but you can grant them in a development or test environment.
For more information refer to the following documentations.
Upvotes: 1
Reputation: 76000
The current user must be serviceAccountUser to be able to list the service account on the project.
Upvotes: 1
Related Questions
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run
- service account permission issue while deploying cloud function
- minimum set of service account permission for cloud run
- What IAM permissions do I need to use to create a Service Account similar to Default Compute Engine Service Account?
- Cloud run service invoke
- How to grant service account access to a user account on google cloud
- Cannot deploy as a service account to google cloud run
- IAM ServiceAccount for CloudRun service endpoint invocation
- What predefined IAM roles does a service account need to complete the Google Cloud Run Quickstart: Build and Deploy?