Unable to set iam.serviceAccounts.actAs to service accounts as requested by apigeecli

Google Cloud Apigee
1

We are using apigeecli in our pipeline and notices that we could use the following commands to deploy without issues:

$ apigeecli token cache -a <CICD_SA_CREDENTIALS_JSON_FILE>
$ apigeecli apis deploy -o $ORG -e $ENV -n $PROXY_NAME -r

But due to a business requirement, we need to deploy the proxy using a service account.

We tried deploying it with the APIGee UI (https://apigee.google.com/landing) setting the optional field with the correct service account (SA named “X”), and it worked as expected.

Now we are trying to do the same within the pipeline, to assign the service account “X” (not the CICD one) using these commands:

$ apigeecli token cache -a <CICD_SA_CREDENTIALS_JSON_FILE>
$ apigeecli apis deploy -o $ORG -e $ENV -n $PROXY_NAME -s $SERVICE_ACCOUNT -r

We checked that the service account variable contains the right pseudo-email format but still not working for us.

We are getting the following error message:

{
  "error": {
    "code": 403,
    "message": "permission 'iam.serviceAccounts.actAs' denied on resource 'projects/-/serviceAccounts/CICD_SA@PROJECT.iam.gserviceaccount.com' (or it may not exist in the project for Apigee org \"PROJECT\")",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.RequestInfo",
        "requestId": "123123123123123"
      }
    ]
  }
}

So basically we tried adding the “roles/iam.serviceAccounts.actAs” to the “X” service account and even the “CICD” service account but seems like that role is not compatible with service accounts.

When we try that, we get another error message:

Role roles/iam.serviceAccounts.actAs is not supported for this resource

So now the pipeline using apigeecli demand a service account with a role that is incompatible with service accounts…

Am I missing something here? is this a bug?

3 Likes
2

German - Have you tried creating a Token from service account and using that?

https://github.com/apigee/apigeecli?tab=readme-ov-file#access-token-generation-from-service-accounts

2 Likes
3

Thanks for your quick response PoornimaD, we are using the “apigeecli token cache” that based on the apigeecli output, is the same as “apigeecli token gen” but also saves it in the cache.

1 Like
4

Can you try adding the roles/iam.serviceAccountUser to the service account (Referring to the service account that you have downloaded the key json file for) used by the build server and see if that works.

or you can use the following gcloud command:

gcloud iam service-accounts add-iam-policy-binding \
  $PROXY_SERVICE_ACCOUNT \
  --member="serviceAccount:$CICD_SERVICE_ACCOUNT" \
  --role="roles/iam.serviceAccountUser"

where $PROXY_SERVICE_ACCOUNT is the (pseudo email) of the service account you specify when deploying the proxy as optional field

2 Likes
5

When you use the UI (console.cloud.google.com) To deplopy an Apigee API proxy, and you specify a service account to use, for that API proxy, you - your logged in user - must have permission to “actAs” that service account. And apparently your logged-in user has that permission, because the dpeloyment succeeds.

When you use the apigeecli tool to deploy an Apigee API proxy, if you use the same identity, in other words if you use something like this:

TOKEN=$(gcloud auth print-access-token)
apigeecli apis deploy --org $ORG --env $ENV --token $TOKEN --wait \
    --name $PROXY_NAME -sa $PROXY_SERVICE_ACCOUNT --ovr

…then it will work, just as it did in the UI. You are using YOUR identity, and as we have seen via the UI, you have “act as” permission on that service account, so the deployment is permitted.

When you use the identity of CICD_SA to request deployment of the proxy, then CICD_SA must have “act as” permission on the proxy service account, in order for the deployment to succeed. The gcloud command that Poornima showed above is the way to grant that permission to the CICD_SA, on the proxy service account. In other words, the identity that runs the CICD is allowed to “Act as” the service account that the proxy will use for its identity.

You may have to wait “a few moments” after the gcloud command completes. Updating IAM permissions is an “eventually consistent” operation. After the IAM policy gets propagated, you can retry the deploy and it will work.

2 Likes
6

Just to take a step back and clarify something…

  1. Are you wanting to deploy an API proxy, and deploy it using a service account ?

Or
2. Are you trying to deploy an api proxy.. and you want this API proxy to interact with a target using a service account?

2 Likes
7

Sounds like both! But it would be good to confirm that.

1 Like
8

Hi team! the idea was to have the SA to target the backend.

After running the providedgcloud iam service-accounts add-iam-policy-binding… command, it’s finally working.

Thank you!

3 Likes
9

Solved

3 Likes