Cloud Deploy alertPolicyChecks cross-project fails with opaque permission_denied
I have a Cloud Deploy pipeline in project-a (number 111111111111) deploying Cloud Run to project-b. The production stage’s strategy.standard.analysis.alertPolicyChecks references two alert policies in project-b. Every rollout fails in ~350ms with:
failed to list open alerts: "RPC::CLIENT_ERROR: generic::permission_denied: IAM permission denied for service account deploy-sa@project-a.iam.gserviceaccount.com."
No method name, no permission, no target project.
Isolation test: Pointing alertPolicyChecks at a policy in project-a (same project) produced an unwrapped error naming roles/serviceusage.serviceUsageConsumer on project-a. Granting that role fixed the same-project case. Reverting to cross-project policies brings back the wrapped, useless error above.
IAM on deploy-sa@project-a: on project-a — monitoring.viewer, serviceusage.serviceUsageConsumer, clouddeploy.operator, clouddeploy.jobRunner, iam.serviceAccountUser, run.admin. On project-b — monitoring.viewer, monitoring.alertPolicyViewer, serviceusage.serviceUsageConsumer, iam.serviceAccountUser, run.admin. Cloud Deploy P4 agent service-111111111111@gcp-sa-clouddeploy has monitoring.viewer on project-b.
Ruled out: Monitoring API enabled in both projects, no VPC-SC violations, no matching org/deny policies, policies exist and enabled, propagation has had over an hour, same-project path works.
Questions:
- For cross-project
alertPolicyChecks, who makes the RPC — execution SA or the P4 service agent? - What exact permission is needed on the policy’s project?
alertPolicies.get/list,incidents.list, something else? - Why is the cross-project error wrapped/masked while the same-project error is unwrapped?
Thanks.