gcloud builds submit raises 403 error for `iam.serviceAccounts.get`

Question

I have a Cloud Build I want to run from the command line. However when I try to run the build from my terminal, it raises this error:

$ gcloud builds submit --region=asia-east1 --config cloudbuild.yaml
Creating temporary tarball archive of 1 file(s) totalling 96 bytes before compression.
Uploading tarball of [.] to [gs://<REDACTED>.tgz]
ERROR: (gcloud.builds.submit) PERMISSION_DENIED: generic::permission_denied: Permission iam.serviceAccounts.get is required to perform this operation on service account projects/<PROJECT_ID>/serviceAccounts/<MY_SERVICE_ACCOUNT>.

I have given the role Service Account User to both the above service account, and also to the user logged in to gcloud on my terminal (confirmed with gcloud auth).

Where else am I supposed to grant the permission iam.serviceAccounts.get?

score 0 · Answer 1 · answered Oct 15 '22 at 07:56

0

As per Service Account User role, It runs operations as the service account. Lowest-level resources and you should grant this role to service accounts will have iam.serviceAccounts.get.

Try to give this command and try again

 gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="PRINCIPAL" \
  --role="roles/iam.serviceAccountUser"

And check this Deployment permissions and check cloud build permissions from here.

answered Oct 15 '22 at 07:56

Sai Chandra Gadde

2,242
1
3
15

No idea what "principle" is in this case – Nathan McKaskle Nov 09 '22 at 19:17
@NathanMcKaskle principle may be a user with email or a group,You can add from the [following](https://cloud.google.com/iam/docs/overview?&_ga=2.81713879.-1334537062.1666755371#concepts_related_identity). – Sai Chandra Gadde Nov 10 '22 at 04:22

gcloud builds submit raises 403 error for `iam.serviceAccounts.get`

1 Answers1