The error message is: ERROR: (gcloud.builds.submit) PERMISSION_DENIED: generic::permission_denied: caller does not have permission to act as service account projects/XXX/serviceAccounts/XXXX. This command is authenticated as [MY_EMAIL] which is the active account specified by the [core/account] property.
I understand the service account should have the right permissions, but the error suggests that my user account doesn’t have permission to act as the service account. Could anyone suggest what steps I might take to resolve this?
The error message indicates that your user account ([MY_EMAIL]) does not have the iam.serviceAccounts.actAs authorization to impersonate the service account XXXX@appspot.gserviceaccount.com. This is essential for the gcloud builds submit command to work when a service account is specified.
You may resolve this issue by:
Verify the IAM policy for the service account and check if [MY_EMAIL] has the required permission using this command:
gcloud iam service-accounts get-iam-policy XXXX@appspot.gserviceaccount.com
If the permission is missing, grant the iam.serviceAccounts.actAs role to [MY_EMAIL]:
gcloud iam service-accounts add-iam-policy-binding \
XXXX@appspot.gserviceaccount.com \
--member=user:[MY_EMAIL] \
--role=roles/iam.serviceAccountUser
Re-run the build command to confirm the issue is resolved.
For more information about service account impersonation, you can read more about it here.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.