How to solve Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account

terraform service-accounts terraform-provider-gcp google-iam google-cloud-run

I've been trying to create a public cloud run invoker policy and bind that to my cb_app cloud run service so that it can be exposed. I've created a custom service and assigned it cloud admin role. But getting this error

Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).

Here are the configs

resource "google_cloud_run_service_iam_member" "domain" {
  service = google_cloud_run_service.cb_app.name
  location = google_cloud_run_service.cb_app.location
  role = "roles/run.admin"
  member = "serviceAccount:${var.service_account}" 
}
#create service account to run service
resource "google_service_account" "cb_app" {
    account_id    = "app-worker"
    display_name  = "app worker"
}

And in app service, I have this

spec {
      # Use locked down Service Account
      service_account_name = google_service_account.cb_app.email

Any ideas on how to solve this?


Solution 1:

When you create a resoure such as Cloud Run, you have the option to attach a service account to the resource.

The following error means that the identity (user or service account) that Terraform is using does not have permission to attach the service account to the resource.

Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).

The solution is to add the role roles/iam.serviceAccountUser to the identity that Terraform is running under. You do not specify the identity in your question. The identity could be a user account or a service account. Go to the Google Cloud Console -> IAM. Find the identity and add the role.

You can also use the CLI gcloud. The exact command arguments depend on the identity type.

For a user account:

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:[email protected]' \
--role='roles/iam.serviceAccountUser'

For a service account:

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='serviceAccount:myserviceaccount@PROJECT_ID.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'

The above commands use Linux syntax. For Windows replace \ with ^

Related

getQuote "what" possible fields in Quantmod (R)
appsettings.json file not found issue on docker run
Log4J2 2.11.0 -> Log4J2 2.17.1 upgrade - appender broken for mariaDB JDBC driver to Percona 5.7 - malformed packets - maven - solved
How to embed a string in the compiled binary at build time? [duplicate]
Wildfly 10 failing to load MySQL XA driver on startup
Vuex persistedState does not work after refreshing page
Dividing in assembly ax and bx [duplicate]
integration of a function
Is there a closed form for $\int x^n e^{cx}\,\mathrm dx$?
Proving that $\mathbf{W}$+$\mathbf{W^{\perp}}$=$\mathbb{R^{n}}$
Show that if a convex $C$ has a supporting hyperplane at every point of its boundary, then it's convex
Incremental calculation of inverse of a matrix