I have been following this documentation to set up an ESPv2 endpoint pretty successfully so far.
I am now up to the "Grant ESPv2 permission to call Service Management and Service Control" step, which tells me to run the following command:
gcloud projects add-iam-policy-binding PROJECT_NAME \
--member "serviceAccount:SERVICE_ACCOUNT" \
--role roles/servicemanagement.serviceController
Unlike in (most) previous steps, there is no clarification of how I might find what the value of SERVICE_ACCOUNT might be.
It simply says, "You can see the Cloud Run instance you deployed and the service account associated with it".
So, when I go to the instance that I deployed, I have to click on "SECURITY" under the recommendation column to see any information whatsoever about a service account. It says,
Cloud Run service cloud-run-cors-service in us-central1 is using the default Compute Engine service account. By default, this service account has broad IAM permissions.
Good. So I now know I'm using the default Compute Engine service account. After searching for service account in the google cloud platform, I find an account called, "49...[numbers removed for security]-compute@developer.gserviceaccount.com". I try that in the
gcloud projects add-iam-policy-binding PROJECT_NAME \
--member "serviceAccount:SERVICE_ACCOUNT" \
--role roles/servicemanagement.serviceController
command from above and get:
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Service account 49...-compute@developer.gserviceaccount.com does not exist.
I subsequently clicked on the account name and got more details. I tried using
- The service account name ("Default compute service account") in the above command. Similar
INVALID_ARGUMENT: Service account
error.
- Just the first part of the email address (49...-compute). Similar
INVALID_ARGUMENT: Service account
error.
- The Unique ID. Similar
INVALID_ARGUMENT: Service account
error.
Does anyone know what I should actually use here??
Other pages in the documentation suggest that I might try:
PROJECT_NUMBER-compute@developer.gserviceaccount.com as well, which was the first thing above that I tried.
Any help here is much appreciated!
Incidentally, if anyone from google that has the ability to improve the documentation in that section (or knows how to get in touch with somebody who can) is reading this, an instantiated example of the command as we see in earlier parts of the documentation would be SUPER helpful here!
