Can't create role for service account because it is "not supported for this resource"

Question

I have the following script I'd like to execute to create my service account and give it a Cloud Build Service Account role.

# create service account for github actions 
gcloud iam service-accounts create github-actions --display-name="Github Actions" 
 
# add iam permissions to github actions service account 
gcloud iam service-accounts add-iam-policy-binding github-actions@project-id.iam.gserviceaccount.com --member='serviceAccount:github-actions@project-id.iam.gserviceaccount.com' --role='roles/cloudbuild.builds.builder'

The execution fails on the last command with

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/cloudbuild.builds.builder is not supported for this resource.

I don't know what that means or better said what I can do to solve that. I need that service account to have that role so I can start Cloud Build through my Github Actions pipeline with that service account.

You are trying to bind the service account identity to itself. Your command is used to grant other identities permission to use the service account. The role however is not supported for service accounts. @DazWilken's answer is probably what you want. — John Hanley, Aug 23 '21 at 18:38

score 10 · Answer 1 · answered Aug 23 '21 at 15:33

This can be confusing. Service Accounts have a "dual nature". They can be treated as resources and identities just not at the same time. See Managing Service Accounts

You're attempting to grant a Service Account (github-actions@project-id.iam.gserviceaccount.com) an IAM binding. In this case, the Service Account is a resource. The binding you're attempting to make references the same Service Account (github-actions@project-id.iam.gserviceaccount.com), this time as an identity. This is not possible.

You possibly (!?) want to grant the binding (as it is) to the project (!) not the Service Account:

PROJECT=[[YOUR-PROJECT]]
ACCOUNT=github-actions
EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"

gcloud projects add-iam-policy-binding ${PROJECT} \
--member="serviceAccount:${EMAIL}" \
--role='roles/cloudbuild.builds.builder'

But, please ensure that is your intent before issuing that command.

You just saved me ... I thought using same email for both service account name and member was strange ... — George Udosen, Sep 21 '22 at 20:48
You just saved my life as well, my friend! Hope things are well with you Daz. — Riccardo, Apr 05 '23 at 15:01
Hey @Riccardo glad it helped :-) Yes, all good here thank you! — DazWilkin, Apr 05 '23 at 16:16

Can't create role for service account because it is "not supported for this resource"

1 Answers1