Reputation: 31642
"Unsupported service account" errors from gcloud when deploying --gen2 functions with --build-service-account
gcloud --version
Google Cloud SDK 488.0.0
alpha 2024.08.09
beta 2024.08.09
bq 2.1.8
core 2024.08.09
gcloud-crc32c 1.0.0
gsutil 5.30
istioctl 1.20.47
I'm at a loss for how to execute the gcloud functions deploy --gen2 command. I can deploy gen1, but gen2 throws indecipherable service account errors.
First going right from the docs: https://cloud.google.com/functions/docs/deploy#basics
gcloud functions deploy sdfsdfsd \
--gen2 \
--project="sdfsdf" \
--region="us-central1" \
--entry-point=my_func \
--no-allow-unauthenticated \
--runtime=python312 \
--build-service-account="[email protected]" \
--trigger-http
I get ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Deployment failed: ["params.service_account: must be empty or a service account of format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}"]. Check your build configuration. Already makes no sense because I'm not setting the service account.
Then I set the account with: --service-account="[email protected]" and I get ERROR: (gcloud.functions.deploy) Deployment failed: ["params.service_account: must be empty or a service account of format: projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}"]. Check your build configuration..
I can't find any examples of the gcloud cli using this format, but when I try it I get this error: ERROR: (gcloud.functions.deploy) ResponseError: status=[400], code=[Ok], message=[Could not create Cloud Run service sdfsdfsd. serviceAccountName: Unsupported service account: projects/my-project-id/serviceAccounts/[email protected]]
I gave the [email protected] account the following roles:
What do I have to do to get this command to work?
I can deploy gen2 functions through the UI with this service account without issues.
Upvotes: 1
Views: 322
Answers (1)
Reputation: 31642
The answer had nothing to do with the --service-account param even though whenever I modified its format I got DIFFERENT ERRORS!
I left this off initially (edited my post to include it), but I'm using a custom build service account (default is disabled now for security reasons).
It seems this is the correct series of switches:
--build-service-account="projects/{PROJECT_ID}/serviceAccounts/{CLOUD_BUILD_GSA}" \
--service-account="{RUNTIME_GSA}" \
It does mention this format in the docs: https://cloud.google.com/sdk/gcloud/reference/functions/deploy#--build-service-account
But the fact that the errors changed in response to modifying the other switch was very confusing. I would open a bug report, but not sure how it would be worded. params.service_account should have been params.build_service_account in the errors.
Upvotes: 1
Related Questions
- gcloud functions deploy fails: One or more users named in the policy do not belong to a permitted customer
- (gcloud.functions.deploy) permission denied when deploying function with specific service account
- Correct permissions for Google Cloud Build to deploy a Cloudfunction in a separate project
- Wrong collection error when deploying gcloud function
- service account permission issue while deploying cloud function
- google cloud function deploy start failing
- How do I deploy a Go Google Cloud Function placed in a subpackage?
- Deploying different service-account-credentials.json file to different cloud functions
- "gcloud auth activate-service-account" and "gcloud source repos clone" error
- gcloud preview app deploy returns 400 with message App engine service account has insufficient permissions for project. Developer or owner required