We are using apigeecli in our pipeline and notices that we could use the following commands to deploy without issues:
$ apigeecli token cache -a <CICD_SA_CREDENTIALS_JSON_FILE>
$ apigeecli apis deploy -o $ORG -e $ENV -n $PROXY_NAME -r
But due to a business requirement, we need to deploy the proxy using a service account.
We tried deploying it with the APIGee UI (https://apigee.google.com/landing) setting the optional field with the correct service account (SA named “X”), and it worked as expected.
Now we are trying to do the same within the pipeline, to assign the service account “X” (not the CICD one) using these commands:
$ apigeecli token cache -a <CICD_SA_CREDENTIALS_JSON_FILE>
$ apigeecli apis deploy -o $ORG -e $ENV -n $PROXY_NAME -s $SERVICE_ACCOUNT -r
We checked that the service account variable contains the right pseudo-email format but still not working for us.
We are getting the following error message:
{
"error": {
"code": 403,
"message": "permission 'iam.serviceAccounts.actAs' denied on resource 'projects/-/serviceAccounts/CICD_SA@PROJECT.iam.gserviceaccount.com' (or it may not exist in the project for Apigee org \"PROJECT\")",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.RequestInfo",
"requestId": "123123123123123"
}
]
}
}
So basically we tried adding the “roles/iam.serviceAccounts.actAs” to the “X” service account and even the “CICD” service account but seems like that role is not compatible with service accounts.
When we try that, we get another error message:
Role roles/iam.serviceAccounts.actAs is not supported for this resource
So now the pipeline using apigeecli demand a service account with a role that is incompatible with service accounts…
Am I missing something here? is this a bug?