Reputation: 383
Error: Permission 'iam.serviceaccounts.actAs' denied on service account (Deploying to Cloud Run with a custom)
I'm trying to deploy my Docker container to the cloud using GitHub actions.
I have assigned Cloud Run Admin and Artefact Registry Admin to my service account. I have also added Service Account User permission.
Command used for authentication:
name: Docker Auth
id: docker-auth
uses: "docker/login-action@v3"
with:
username: "_json_key"
password: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"
Command used for building and pushing Docker images:
name: Build and Push Container
run: |-
docker build --quiet --build-arg GCP_SERVICE_ACCOUNT=${{ secrets.GCP_SERVICE_ACCOUNT }} -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.GAR_NAME }}/${{ env.SERVICE }}:${{ github.sha }}" ./
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.GAR_NAME }}/${{ env.SERVICE }}:${{ github.sha }}"
Command used to deploy on Cloud Run:
name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v2
with:
service: "${{ env.SERVICE }}-${{ env.ENVIRONMENT }}"
region: ${{ env.REGION }}
image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.GAR_NAME }}/${{ env.SERVICE }}:${{ github.sha }}
platform: managed
allow-unauthenticated: true
Are there any other permissions or configurations that I'm missing?
Upvotes: 0
Views: 975
Answers (1)
Reputation: 314
It looks that you have configured the necessary permissions for deploying your Docker container to Cloud Run using GitHub Actions.
However, there are a few additional considerations to ensure a successful deployment. To deploy containers to Google Cloud Run using a new service account that you have created with the necessary Deployment permissions to do deployments.
As per this blog by ITECNOTE
A user needs the following permissions to deploy new Cloud Run services.
run.services.create and run.services.update on the project level. Typically assigned through the roles/run.admin role. It can be changed in the project permissions admin page.
iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is [email protected]. The permission is typically assigned through the roles/iam.serviceAccountUser role.
The most important one. You can see here that in order to use non-default services identities, the account or deployer needs to have the iam.serviceAccounts.actAs permission on the service account that is being deployed.
Refer to this official Continuous deployment from Git using Cloud Build for more information.
Note : Depending on usage, certain projects may be restricted to only use Cloud Build in the following regions, check Restricted regions for some projects For more detail.
Upvotes: 2
Related Questions
- Deploying to Cloud Run with a custom service account failed with iam.serviceaccounts.actAs error
- Docker push "Missing image name"-error when pushing to GCP Artifact Registry from Github Actions
- Permission denied on Google Cloud Run with Github action
- How can we attach a service account to cloud run service while deploying through github actions?
- Error: denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource
- Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run
- Google cloud credentials for deploying cloud run service in CI pipeline
- 401 unauthorized error when opening the URL of my Google Cloud Run service
- Cannot deploy as a service account to google cloud run