This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Darshan Hiranandani : Permission Denied Error During Google App Engine Deployment with gcloud

Posted on 12-25-2024 08:26 PM
darshanhira24
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello team, I’m Darshan Hiranandani, facing a permission issue when trying to deploy an app using the following gcloud build submit command:

gcloud builds submit --substitutions _XXX=dev --project=dev-bbva-devops-metrics --config=cloudbuild.yaml --ignore-file=.gcloudignore --service-account=projects/XXXXX/serviceAccounts/XXXX@appspot.gserviceaccount.com

The error message is: ERROR: (gcloud.builds.submit) PERMISSION_DENIED: generic::permission_denied: caller does not have permission to act as service account projects/XXX/serviceAccounts/XXXX. This command is authenticated as [MY_EMAIL] which is the active account specified by the [core/account] property.

I understand the service account should have the right permissions, but the error suggests that my user account doesn’t have permission to act as the service account. Could anyone suggest what steps I might take to resolve this?

Regards 

Darshan Hiranandani

0 1 261
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
greb
Staff
Reply posted on --/--/---- --:-- AM

Hi @darshanhira24,

The error message indicates that your user account ([MY_EMAIL]) does not have the iam.serviceAccounts.actAs authorization to impersonate the service account XXXX@appspot.gserviceaccount.com. This is essential for the gcloud builds submit command to work when a service account is specified.

You may resolve this issue by:

  1. Verify the IAM policy for the service account and check if [MY_EMAIL] has the required permission using this command:
    gcloud iam service-accounts get-iam-policy XXXX@appspot.gserviceaccount.com

  2. If the permission is missing, grant the iam.serviceAccounts.actAs role to [MY_EMAIL]:
    gcloud iam service-accounts add-iam-policy-binding \
XXXX@appspot.gserviceaccount.com \
--member=user:[MY_EMAIL] \
--role=roles/iam.serviceAccountUser
  3. Re-run the build command to confirm the issue is resolved.

For more information about service account impersonation, you can read more about it here.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all