google-cloud-platformdeploymentpermissionsuser-accountsgoogle-cloud-iam

Permission 'iam.serviceaccounts.actAs' denied on service account when deploying on cloud run

When I try to deploy my docker image on cloud run with the command:

gcloud run deploy --image $MULTI_REGION/$PROJECT/$IMAGE --memory $MEMORY --region $REGION --env-vars-file .env.yaml

I got the error message :

Deploying container to Cloud Run service [image-name] in project [wagon-bootcamp-352706] region [europe-west1]
X Deploying new service...                                                                                                                                                                                 
  . Creating Revision...                                                                                                                                                                                   
  . Routing traffic...                                                                                                                                                                                     
  . Setting IAM Policy...                                                                                                                                                                                  
Deployment failed                                                                                                                                                                                          
ERROR: (gcloud.run.deploy) User [demange.louis@hotmail.fr] does not have permission to access namespaces instance [wagon-bootcamp-352706] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account 942802053669-compute@developer.gserviceaccount.com (or it may not exist).

To check the permissions of the project, I use gcloud projects get-iam-policy wagon-bootcamp-352706:

bindings:
- members:
  - serviceAccount:service-942802053669@gcp-sa-artifactregistry.iam.gserviceaccount.com
  role: roles/artifactregistry.serviceAgent
- members:
  - serviceAccount:service-942802053669@containerregistry.iam.gserviceaccount.com
  role: roles/containerregistry.ServiceAgent
- members:
  - user:demange.louis@hotmail.fr
  role: roles/iam.serviceAccountUser
- members:
  - serviceAccount:service-942802053669@cloud-ml.google.com.iam.gserviceaccount.com
  role: roles/ml.serviceAgent
- members:
  - user:demange.louis@hotmail.fr
  role: roles/owner
- members:
  - serviceAccount:service-942802053669@gcp-sa-pubsub.iam.gserviceaccount.com
  role: roles/pubsub.serviceAgent
- members:
  - serviceAccount:service-942802053669@serverless-robot-prod.iam.gserviceaccount.com
  role: roles/run.serviceAgent
- members:
  - user:demange.louis@hotmail.fr
  role: roles/storage.admin
- members:
  - user:demange.louis@hotmail.fr
  role: roles/storage.objectAdmin
- members:
  - user:demange.louis@hotmail.fr
  role: roles/storage.objectCreator

I also checked that the project 'wagon-bootcamp-352706' was the good one.

I also checked in container registry that my image 'image-name' was well pushed : image-name eu.gcr.io Private

As a conclusion, permissions should be effective, no problem with the previous push, no problem with the project name. The only thing which remains unclear is this 'account 942802053669-compute@developer.gserviceaccount.com' which is mentioned in the error message, it does not belong to me and I don't know what it is. Does someone have an idea of the problem ? Thanks in advance.

Best regards,

Louis Demange

Solution

  • The issue is that the Service Account 942802053669-compute@developer.gserviceaccount.com does not exist because the Compute Engine API has not been enabled (maybe) or you have deleted it.

    You have two options:

    1. Enable the Compute Engine API by going for example to Compute Engine section.
    2. If you deleted the Compute Engine default SA you can recover it (if it was deleted at most 30 days ago) or use another Service Account that exists to be used with Cloud Run.