Hello team, I’m Darshan Hiranandani, facing a permission issue when trying to deploy an app using the following gcloud build submit command:
gcloud builds submit --substitutions _XXX=dev --project=dev-bbva-devops-metrics --config=cloudbuild.yaml --ignore-file=.gcloudignore --service-account=projects/XXXXX/serviceAccounts/XXXX@appspot.gserviceaccount.com
The error message is: ERROR: (gcloud.builds.submit) PERMISSION_DENIED: generic::permission_denied: caller does not have permission to act as service account projects/XXX/serviceAccounts/XXXX. This command is authenticated as [MY_EMAIL] which is the active account specified by the [core/account] property.
I understand the service account should have the right permissions, but the error suggests that my user account doesn’t have permission to act as the service account. Could anyone suggest what steps I might take to resolve this?
Regards
Darshan Hiranandani
Hi @darshanhira24,
The error message indicates that your user account ([MY_EMAIL]) does not have the iam.serviceAccounts.actAs authorization to impersonate the service account XXXX@appspot.gserviceaccount.com. This is essential for the gcloud builds submit command to work when a service account is specified.
You may resolve this issue by:
gcloud iam service-accounts get-iam-policy XXXX@appspot.gserviceaccount.com
gcloud iam service-accounts add-iam-policy-binding \
XXXX@appspot.gserviceaccount.com \
--member=user:[MY_EMAIL] \
--role=roles/iam.serviceAccountUser
For more information about service account impersonation, you can read more about it here.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.