How to solve Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account
I've been trying to create a public cloud run invoker policy and bind that to my cb_app cloud run service so that it can be exposed. I've created a custom service and assigned it cloud admin role. But getting this error
Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).
Here are the configs
resource "google_cloud_run_service_iam_member" "domain" {
service = google_cloud_run_service.cb_app.name
location = google_cloud_run_service.cb_app.location
role = "roles/run.admin"
member = "serviceAccount:${var.service_account}"
}
#create service account to run service
resource "google_service_account" "cb_app" {
account_id = "app-worker"
display_name = "app worker"
}
And in app service, I have this
spec {
# Use locked down Service Account
service_account_name = google_service_account.cb_app.email
Any ideas on how to solve this?
Solution 1:
When you create a resoure such as Cloud Run, you have the option to attach a service account to the resource.
The following error means that the identity (user or service account) that Terraform is using does not have permission to attach the service account to the resource.
Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).
The solution is to add the role roles/iam.serviceAccountUser to the identity that Terraform is running under. You do not specify the identity in your question. The identity could be a user account or a service account. Go to the Google Cloud Console -> IAM. Find the identity and add the role.
You can also use the CLI gcloud. The exact command arguments depend on the identity type.
For a user account:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:[email protected]' \
--role='roles/iam.serviceAccountUser'
For a service account:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member='serviceAccount:myserviceaccount@PROJECT_ID.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'
The above commands use Linux syntax. For Windows replace \ with ^