DEVHIDE
Login Or Sign up

Error: Permission 'iam.serviceaccounts.actAs' denied on service account (Deploying to Cloud Run with a custom)

169 Views Asked by At

I'm trying to deploy my Docker container to the cloud using GitHub actions.

I have assigned Cloud Run Admin and Artefact Registry Admin to my service account. I have also added Service Account User permission.

Command used for authentication:

name: Docker Auth
        id: docker-auth
        uses: "docker/login-action@v3"
        with:
          username: "_json_key"
          password: "${{ secrets.GCP_SERVICE_ACCOUNT }}"
          registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"

Command used for building and pushing Docker images:

name: Build and Push Container
        run: |-
          docker build --quiet --build-arg GCP_SERVICE_ACCOUNT=${{ secrets.GCP_SERVICE_ACCOUNT }} -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.GAR_NAME }}/${{ env.SERVICE }}:${{ github.sha }}" ./
          docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.GAR_NAME }}/${{ env.SERVICE }}:${{ github.sha }}"

Command used to deploy on Cloud Run:

 name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: "${{ env.SERVICE }}-${{ env.ENVIRONMENT }}"
          region: ${{ env.REGION }}
          image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.GAR_NAME }}/${{ env.SERVICE }}:${{ github.sha }}
          platform: managed
          allow-unauthenticated: true

Are there any other permissions or configurations that I'm missing?

google-cloud-platform github-actions google-cloud-run google-artifact-registry
Original Q&A
1

There are 1 best solutions below

1
Kapil Sakhare On

It looks that you have configured the necessary permissions for deploying your Docker container to Cloud Run using GitHub Actions.

However, there are a few additional considerations to ensure a successful deployment. To deploy containers to Google Cloud Run using a new service account that you have created with the necessary Deployment permissions to do deployments.

As per this blog by ITECNOTE

A user needs the following permissions to deploy new Cloud Run services.

  • run.services.create and run.services.update on the project level. Typically assigned through the roles/run.admin role. It can be changed in the project permissions admin page.

  • iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is [email protected]. The permission is typically assigned through the roles/iam.serviceAccountUser role.

The most important one. You can see here that in order to use non-default services identities, the account or deployer needs to have the iam.serviceAccounts.actAs permission on the service account that is being deployed.

Refer to this official Continuous deployment from Git using Cloud Build for more information.

Note : Depending on usage, certain projects may be restricted to only use Cloud Build in the following regions, check Restricted regions for some projects For more detail.

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GITHUB-ACTIONS

Related Questions in GOOGLE-CLOUD-RUN

Related Questions in GOOGLE-ARTIFACT-REGISTRY

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.