This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Issues with service account permissions while deploying python code in cloud functions

Posted on 11-23-2022 01:56 AM
mahesh_123
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are using default service account {projectname}@appspot.gserviceaccount.com to perform the cloud function code deploy (python code) through gcp console.
Provided below permissions through terraform 

"roles/iam.serviceAccountUser" = ["serviceAccount:{projectname}@appspot.gserviceaccount.com" ]
"roles/cloudfunctions.developer" = ["group:sample.developers@example.com"]

Getting below error, need some help here
Caller is missing permission 'iam.serviceaccounts.actAs' on service account {projectname}@appspot.gserviceaccount.com. Grant the role 'roles/iam.serviceAccountUser' to the caller on the service account {projectname}@appspot.gserviceaccount.com. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding {projectname}@appspot.gserviceaccount.com --member MEMBER --role roles/iam.serviceAccountUser' where MEMBER has a prefix like 'user:' or 'serviceAccount:'. Details and instructions for the Cloud Console can be found at https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration. Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation



0 2 4,136
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dionv
Staff
Reply posted on --/--/---- --:-- AM

Hello mahesh_123,

Checking on your concern encountered, I found a related post from StackOverflow by John Hanley. And seeing that you are deploying it through terraform, you can consider checking this documentation  on how to add the policy binding.

0 Likes

Posted on --/--/---- --:-- AM
melchisedekdulc
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey, I recently run into this issue as well. I don't know if you're using github at all (I couldn't tell from the question). 

But here are few things you could try: 

- Give your github actions account the role Service Account User.

- Add the Service Account User role to the service account indicated by error.

I did them in the opposite order, so that's why I think you should try the first option first and then the second one if that doesn't fix it.

0 Likes
Top Solution Authors
View all