I am following Google Cloud Workflows guide here
At the third step where you create and deploy the workflow...
I tried the following command:
export MY_WORKFLOW=myEventWorkflow
gcloud workflows deploy ${MY_WORKFLOW} --source=myEventWorkflow.yaml
and I received the following error:
ERROR: (gcloud.workflows.deploy) FAILED_PRECONDITION: Workflows service agent doesn't have permission to access the service account to be used as workflow identity. Please check your IAM settings.
How can I solve this error? I am not quite sure what a workflow service agent is.
As John Hanley and Guillaume Blaquiere mentioned
As per this official doc
To give Workflows service agents access to a service account follow the below process:
- In the Google Cloud console, go to the Workflows page: Go to Workflows
- Click add Create to create a workflow or select the name of the workflow that you want to update.
- In the Service account list, click the Switch project.
- Select a service account from a different project.
- If prompted, grant the roles/iam.serviceAccountTokenCreator role to the Workflows service agent.
You need to Grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the Workflows service agent. This permits the service agent to manage the cross-project access for the service account. A service agent is the identity of a given Google Cloud service for a particular project. For more information, see Service agents.