This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to deploy application due to ActAs permission

Posted on 02-20-2023 06:21 AM
alexandre-br
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Currently I'm deploying a CI/CD pipeline for a staging enviroment. The problem is, when it comes to execute the trigger and build the last version pushed to the "watched branch", Cloud Build gives me the following error (right after the Docker images were successfully built):

 

Uploading tarball of [.] to [gs://5ab97cc8958b4855a3ca3ad7b7366eae_clouddeploy/source/1676901197.104051-8c8d678cc4994b5ba0dcc1ffbe30e4a4.tgz]
ERROR: (gcloud.deploy.releases.create) PERMISSION_DENIED: ActAs permissions required to use account my-account@my-project.iam.gserviceaccount.com. For more details, see https://cloud.google.com/iam/docs/understanding-service-accounts#attaching
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: clouddeploy.googleapis.com
metadata:
serviceAccount: my-account@my-project.iam.gserviceaccount.com
reason: ACTAS_PERMISSION_DENIED
 
Googling the message error, I thought the problem was in the service account's permissions, i.e., one of its roles should have the iam.serviceAccounts.actAs permission. Then I granted to the account the Cloud Deploy Service Agent, which has it; but it didn't worked. I even tried using an account with several Admin roles (such as Cloud Deploy Admin and Service Account Admin), but didn't worked as well. I also tried by removing the serviceAccount parameter from clouddeploy.yaml.
 
Is there some step I missed?
 
* Here's the current Cloud Deploy file:
 
apiVersion: deploy.cloud.google.com/v1
kind: DeliveryPipeline
metadata:
  name: staging-pipeline
description: main application pipeline
serialPipeline:
  stages:
    - targetId: staging
---

# Staging cluster
apiVersion: deploy.cloud.google.com/v1
kind: Target
metadata:
  name: staging
description: staging cluster
gke:
  cluster: projects/$PROJECT_ID/locations/us-central1-c/clusters/staging-cluster
executionConfigs:
- defaultPool:
    serviceAccount: my-account@my-project.iam.gserviceaccount.com
  usages:
  - RENDER
  - DEPLOY
Solved Solved
0 3 3,351
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
sanderbogdan
Staff
Reply posted on --/--/---- --:-- AM

Hi Alexandre,

The Cloud Build service account needs actAs permissions to call the Cloud Deploy endpoint (which in turn uses the Cloud Deploy service account). You should grant your Cloud Build service account actAs permissions. The Cloud Build account should also have the clouddeploy.relesaer role.  The service account you are using for Cloud Deploy to deploy should have the clouddeploy.jobRunner role.

Here are a few links:

 
Does this help?

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
sanderbogdan
Staff
Reply posted on --/--/---- --:-- AM

Hi Alexandre,

The Cloud Build service account needs actAs permissions to call the Cloud Deploy endpoint (which in turn uses the Cloud Deploy service account). You should grant your Cloud Build service account actAs permissions. The Cloud Build account should also have the clouddeploy.relesaer role.  The service account you are using for Cloud Deploy to deploy should have the clouddeploy.jobRunner role.

Here are a few links:

 
Does this help?

Jump to Solution

Posted on --/--/---- --:-- AM
alexandre-br
Bronze 3
Bronze 3
In response to sanderbogdan
Reply posted on --/--/---- --:-- AM

It worked. Many thanks!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ahmadmahafdhah
Bronze 1
Bronze 1
In response to sanderbogdan
Reply posted on --/--/---- --:-- AM

Hello @sanderbogdan ,

I have a question, is it the same case in Deploying Apigee API Proxies?
I am creating a CI/CD pipeline to deploy Apigee API Proxies using Maven plugin, and the trigger failed giving nearly same error message:
[ERROR] Failed to execute goal io.apigee.build-tools.enterprise4g:apigee-edge-maven-plugin:2.4.0:deploy (default-cli) on project apigee-api-proxy: : MojoExecutionException: com.google.api.client.http.HttpResponseException: 403 Forbidden
[ERROR] {
[ERROR] "error": {
[ERROR] "code": 403,
[ERROR] "message": "permission 'iam.serviceAccounts.actAs' denied on resource 'projects/-/serviceAccounts/deployment-SA@my-project.iam.gserviceaccount.com' (or it may not exist in the project for Apigee org \"my-project\")",
[ERROR] "status": "PERMISSION_DENIED",
[ERROR] "details": [
[ERROR] "@type": "type.googleapis.com/google.rpc.RequestInfo",
[ERROR] "requestId": "11467981998970720566"

can you please explain to me why I need to assign the role Service Account User to the service account "deployment-SA@my-project.iam.gserviceaccount.com", where it is the service account I am using in the Cloud Build Trigger.
and what other service account it is trying to impersonate?

Jump to Solution
0 Likes
Top Solution Authors
View all