Question 208947 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – Permission denied on Google Cloud Run with Github action

I am successfully able to execute CD(continuous Development) using an owner service account on GitHub Actions & cloud run. But I think better to give minimal access with a new service account. These are the permission/roles that I have assigned.

// Custom Role
    Custom Secret Manager Secret Accessor
       => permissions
          - iam.serviceAccounts.actAs
          - secretmanager.versions.access
// role
Service Account Token Creator

And I am getting

Permission ‘iam.serviceAccounts.getAccessToken’ denied on resource (or
it may not exist).

But iam.serviceAccounts.getAccessToken permission is in the Service Account Token Creator role.

And here is my cloud-run.yml

name: Build and Deploy to Google Cloud run

on: 
    push:
        branches:
            - master

env:
  GAR_LOCATION: ${{ vars.GAR_LOCATION }}
  PROJECT_ID: ${{ vars.PROJECT_ID }}
  REPOSITORY: ${{ vars.REPOSITORY }}
  SERVICE: ${{ vars.SERVICE }}
  GITHUB_SHA: ${{ github.sha }}
  REGION: ${{ vars.REGION }}

jobs:
    deploy:
        permissions:
            contents: 'read'
            id-token: 'write'
        
        runs-on: ubuntu-latest
        steps:
          - name: Checkout Code
            uses: actions/checkout@v3
          - name: Google Auth
            id: auth
            uses: google-github-actions/auth@v0
            with:
              token_format: 'access_token'
              workload_identity_provider: '${{ secrets.WIF_PROVIDER }}'
              service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}'

          - name: Login to GAR
            uses: docker/[email protected]
            with:
              username: 'oauth2accesstoken'
              password: '${{ steps.auth.outputs.access_token }}'
              registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'

          - name: Build and Push Container
            run: |-
              docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ env.GITHUB_SHA }}" ./
              docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ env.GITHUB_SHA }}"

          - name: Deploy to Cloud Run
            id: deploy
            uses: google-github-actions/deploy-cloudrun@v0
            with:
              service: ${{ env.SERVICE }}
              region: ${{ env.REGION }}
              image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ env.GITHUB_SHA }}
            
          - name: Show Output
            run: echo ${{ steps.deploy.outputs.url }}

It is failing on Google Auth label because of authentication. What will be the minimal permission for a service account to perform the CD?

Thanks in advance.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    So silly!!! I have missed impersonating my selected service account.

    What I did-

    1. Copied the IAM principal from the provider. (Workload Identity Federation Menu)
    2. Go to the service accounts menu and select the account. Then select the MANAGE ACCESS menu from the top.
    3. A right modal box will appear and there click the ADD PRINCIPAL.
    4. In the New principal input box, I pasted the copied IAM principal and add the role. In my case Workload Identity User.
    5. Wait for 1/2 minute.

    That's it!!!

    Service account impersonation


  2. 0

    Let’s try adding: roles/iam.serviceAccountUser

    The Service Account User role (roles/iam.serviceAccountUser) lets a principal attach a service account to a resource.

    Documentation

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search