Permission denied on Google Cloud Run with Github action

Question

I am successfully able to execute CD(continuous Development) using an owner service account on GitHub Actions & cloud run. But I think better to give minimal access with a new service account. These are the permission/roles that I have assigned.

// Custom Role
    Custom Secret Manager Secret Accessor
       => permissions
          - iam.serviceAccounts.actAs
          - secretmanager.versions.access
// role
Service Account Token Creator

And I am getting

Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).

But iam.serviceAccounts.getAccessToken permission is in the Service Account Token Creator role.

And here is my cloud-run.yml

name: Build and Deploy to Google Cloud run

on: 
    push:
        branches:
            - master

env:
  GAR_LOCATION: ${{ vars.GAR_LOCATION }}
  PROJECT_ID: ${{ vars.PROJECT_ID }}
  REPOSITORY: ${{ vars.REPOSITORY }}
  SERVICE: ${{ vars.SERVICE }}
  GITHUB_SHA: ${{ github.sha }}
  REGION: ${{ vars.REGION }}

jobs:
    deploy:
        permissions:
            contents: 'read'
            id-token: 'write'
        
        runs-on: ubuntu-latest
        steps:
          - name: Checkout Code
            uses: actions/checkout@v3
          - name: Google Auth
            id: auth
            uses: google-github-actions/auth@v0
            with:
              token_format: 'access_token'
              workload_identity_provider: '${{ secrets.WIF_PROVIDER }}'
              service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}'

          - name: Login to GAR
            uses: docker/login-action@v2.1.0
            with:
              username: 'oauth2accesstoken'
              password: '${{ steps.auth.outputs.access_token }}'
              registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'

          - name: Build and Push Container
            run: |-
              docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ env.GITHUB_SHA }}" ./
              docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ env.GITHUB_SHA }}"

          - name: Deploy to Cloud Run
            id: deploy
            uses: google-github-actions/deploy-cloudrun@v0
            with:
              service: ${{ env.SERVICE }}
              region: ${{ env.REGION }}
              image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ env.GITHUB_SHA }}
            
          - name: Show Output
            run: echo ${{ steps.deploy.outputs.url }}

It is failing on Google Auth label because of authentication. What will be the minimal permission for a service account to perform the CD?

Thanks in advance.

score 0 · Answer 1 · answered Jul 15 '23 at 11:53

0

Let's try adding: roles/iam.serviceAccountUser

The Service Account User role (roles/iam.serviceAccountUser) lets a principal attach a service account to a resource.

Documentation

answered Jul 15 '23 at 11:53

Linh Vu

736
3
7

Thank you for your quick reply. I have already tried with that including the permissions which I have added in the description. But no luck! – Tushar Roy Jul 15 '23 at 11:59
I was confused! Your task is on behalf of secrets.WIF_SERVICE_ACCOUNT write to Artifact Registry and Cloud Run, so Cloud Run admin(roles/run.admin), Service Account User (roles/iam.serviceAccountUser), Artifact Registry Admin (roles/artifactregistry.admin) would be enough. And roles/iam.serviceAccountUser not only includes iam.serviceAccounts.actAs but also get and list permissions for your Service Account. – Linh Vu Jul 15 '23 at 13:31
I just tried these roles. But again no luck! – Tushar Roy Jul 16 '23 at 03:53
I think there is a problem with my identity federation. Because after changing my owner account and assigning these specific permissions it is working. But I have to find that why my previous account was not working. – Tushar Roy Jul 16 '23 at 08:48

score 0 · Answer 2 · answered Jul 16 '23 at 12:11

So silly!!! I have missed impersonating my selected service account.

What I did-

Copied the IAM principal from the provider. (Workload Identity Federation Menu)
Go to the service accounts menu and select the account. Then select the MANAGE ACCESS menu from the top.
A right modal box will appear and there click the ADD PRINCIPAL.
In the New principal input box, I pasted the copied IAM principal and add the role. In my case Workload Identity User.
Wait for 1/2 minute.

That's it!!!

Service account impersonation

Permission denied on Google Cloud Run with Github action

2 Answers2