IAM permission denied for service account <service-account-name>@<project-name>.iam.gserviceaccount.com

Question

I am using Terraform to deploy my application in GCP Cloud Run. When I try to deploy the app with a specific service account which has roles/run.admin role set, getting a IAM permission denied for service account <service-account-name>@<project-name>.iam.gserviceaccount.com error.

I cannot understand why it is denied. There is no specific error for that.

Is there any other permission I need to give to the service account to be able to deploy the app in cloud run?

Thanks

Answer 1

As per the official documentation, A user needs the following permissions to deploy new Cloud Run services or revisions:

1. run.services.create and run.services.update on the project level are required. run.services.get is not strictly required, but is recommended in order to read the status of the created service. Typically assigned through the roles/run.admin role. It can be changed in the project permissions admin page.
2. iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is PROJECT_NUMBER-compute@developer.gserviceaccount.com. The permission is typically assigned through the roles/iam.serviceAccountUser role.

To assign the IAM Service Account User role on the Cloud Run :

gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="PRINCIPAL" \
  --role="roles/iam.serviceAccountUser"