Cloud Build fails to deploy to Google App Engine - You do not have permission to act as @appspot.gserviceaccount.com

问题

This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.

The error was as follows:

ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]@appspot.gserviceaccount.com' Step #4: - '@type': type.googleapis.com/google.rpc.ResourceInfo Step #4: description: You do not have permission to act as this service account. Step #4: resourceName: [redacted]@appspot.gserviceaccount.com Step #4: resourceType: serviceAccount

When I look at https://console.cloud.google.com/cloud-build/settings/service-account Cloud build has the follow service account permissions ENABLED:

• App Engine Admin
• Cloud KMS

Checking https://console.cloud.google.com/iam-admin/iam I can see that the cloudbuild service account has the following roles:

• App Engine Admin
• App Engine Deployer
• Cloud Build Service Account
• Cloud KMS CryptoKey Decrypter

回答1:

According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.

PROJECT_ID=xxxxxx

PROJECT_NUMBER=$(gcloud projects list \
  --format="value(projectNumber)" \
  --filter="projectId=${PROJECT_ID}")

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT_ID}@appspot.gserviceaccount.com \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/iam.serviceAccountUser \
    --project=${PROJECT_ID}

To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUserrole. Updated Google documentation can be found here.

回答2:

I had the same issue. For me I had to add the Service Account User role to my circle ci user in IAM. Maybe you can do the same for cloudbuild.

回答3:

I grant Service Account User permission to my CI/CD service account. That works.

Screenshot of IAM

Screenshot of my Gitlab CI/CD configuration

回答4:

To resolve this issue, you can add Service Account User IAM permission to your CI/CD pipeline service account.

Eg. If you're using Cloud Build, then add Service Account User role to your {project-number}@cloudbuild.gserviceaccount.com service account

来源：https://stackoverflow.com/questions/64236468/cloud-build-fails-to-deploy-to-google-app-engine-you-do-not-have-permission-to