Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com

Solution 1:

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx

PROJECT_NUMBER=$(gcloud projects list \
  --format="value(projectNumber)" \
  --filter="projectId=${PROJECT_ID}")

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT_ID}@appspot.gserviceaccount.com \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/iam.serviceAccountUser \
    --project=${PROJECT_ID}

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUser role. Updated Google documentation can be found here.

Solution 2:

I had the same issue. For me I had to add the Service Account User role to my circle ci user in IAM. Maybe you can do the same for cloudbuild.

Solution 3:

I grant Service Account User permission to my CI/CD service account. That works.

Screenshot of IAM

Screenshot of my Gitlab CI/CD configuration