How to solve Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account

Asked 29/7, 2021 at 16:38 Answered 14/4, 2022 at 11:12

terraform google-cloud-run service-accounts terraform-provider-gcp google-iam

I've been trying to create a public cloud run invoker policy and bind that to my cb_app cloud run service so that it can be exposed. I've created a custom service and assigned it cloud admin role. But getting this error

Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).

Here are the configs

resource "google_cloud_run_service_iam_member" "domain" {
  service = google_cloud_run_service.cb_app.name
  location = google_cloud_run_service.cb_app.location
  role = "roles/run.admin"
  member = "serviceAccount:${var.service_account}" 
}
#create service account to run service
resource "google_service_account" "cb_app" {
    account_id    = "app-worker"
    display_name  = "app worker"
}

And in app service, I have this

spec {
      # Use locked down Service Account
      service_account_name = google_service_account.cb_app.email

Any ideas on how to solve this?

Larose answered 29/7, 2021 at 16:38 Comment(1)

What is the content of ${var.service_account}? – Hetzel 29/7, 2021 at 17:31

When you create a resoure such as Cloud Run, you have the option to attach a service account to the resource.

The following error means that the identity (user or service account) that Terraform is using does not have permission to attach the service account to the resource.

Error: Error creating Service: googleapi: Error 403: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).

The solution is to add the role roles/iam.serviceAccountUser to the identity that Terraform is running under. You do not specify the identity in your question. The identity could be a user account or a service account. Go to the Google Cloud Console -> IAM. Find the identity and add the role.

You can also use the CLI gcloud. The exact command arguments depend on the identity type.

For a user account:

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:[email protected]' \
--role='roles/iam.serviceAccountUser'

For a service account:

gcloud projects add-iam-policy-binding PROJECT_ID \
--member='serviceAccount:myserviceaccount@PROJECT_ID.iam.gserviceaccount.com' \
--role='roles/iam.serviceAccountUser'

The above commands use Linux syntax. For Windows replace \ with ^

Langrage answered 30/7, 2021 at 6:41 Comment(3)

Be aware that by using PROJECT_ID as the resource to which you are binding the policy, you are telling google cloud to allow the MEMBER to act as ANY service account in the project. That may be more power than you want to delegate. You can also add the policy binding to a specific service account within the project. To do that, replace PROJECT_ID in the above example commands with the full email of the Service account, eg SA_NAME@PROJECT_ID.iam.gserviceaccount.com . – Lavatory 10/8, 2023 at 21:28

@Lavatory - yes you are correct. A service account is both an identity and a resource. Impersonation is an important factor in security design. Can you move your comment to the question so that more people will notice it? – Langrage 10/8, 2023 at 23:40

In my case, I was using a Pulumi service account to deploy a CloudRun service using Pulumi. I needed to add the Service Account User role to the Pulumi service account and then it worked! – Andreas 26/10, 2023 at 16:31

Possible solution to this issue if you're encountering it while applying Terraform in Google Cloud Shell.

I also encountered a very similar error:

Error: googleapi: Error 403: Missing necessary permission enter code hereiam.serviceAccounts.actAs for $MEMBER 
on the service account [email protected]. 
Grant the role 'roles/iam.serviceAccountUser' to $MEMBER on the service  
account [email protected]. 
You can do that by running 'gcloud iam service-accounts 
add-iam-policy-binding [email protected] --member=$MEMBER 
--role=roles/iam.serviceAccountUser'. 
In case the member is a service account please use the prefix 'serviceAccount:' instead of 'user:'.

I think this error message is deceptive/misleading.

My solution:

was not to give the "Service Account User" role to [email protected]
was not to give the "Service Account User" role to the Terrform deployment service account.
was to give the "Service Account User" role to my own personal GCP account.

It seems like Cloud Shell uses a mixture of authorisation accounts when applying Terraform. In some cases it uses the service account defined in the provider and at other times it uses your own GCP OAuth account.

Combo answered 19/11, 2021 at 10:6 Comment(0)

I ran this code:

gcloud config set auth/impersonate_service_account [SA_FULL_EMAIL]

and it worked for me.

Flutterboard answered 14/4, 2022 at 11:12 Comment(0)

Recommended topics

Hot tags