8

I'm unable to create a Cloud Function in my GCP project using GUI, but have admin roles for GCF, SA and IAM.

Here is the error message:

Missing necessary permission iam.serviceAccounts.actAs for cloud-client-api-gae on the service account serviceaccountname@DOMAIN.iam.gserviceaccount.com. Grant the role 'roles/iam.serviceAccountUser' to cloud-client-api-gae on the service account serviceaccountname@DOMAIN.iam.gserviceaccount.com.

cloud-client-api-gae is not an SA nor User on my IAM list. It must be a creature living underneath Graphical User Interfrace.

I have Enabled API for GCF, AppEngine and I have Service Account Admin role.

I had literally 0 search results when googling for cloud-client-api-gae.

Mr.TK
  • 1,743
  • 2
  • 17
  • 22
  • 2
    Thanks for asking this! I'm running into the same exact issue and had no idea what needed to be done. – jake May 10 '22 at 13:35

3 Answers3

7

I've contacted GCP support and it seems my user was missing single role: Service Account User - that's it.

PS: Person from support didn't know what this thing called "cloud-client-api-gae" is.

Mr.TK
  • 1,743
  • 2
  • 17
  • 22
  • Had the some problem, my error message was saying: cloud-boq-clientapi-functions. Also fixed it by giving my user account the role Service Account User on this specific service account. – Sander van den Oord Sep 05 '22 at 09:59
2

Saw the same thing. You need Service account user on the SA you plan to deploy the CF onto. The same incorrect identity was shown.

Mike
  • 21
  • 1
2

The user account attempting to create cloud function, need to be given "Service account user" role on the Service account they are using for this cloud function to run on.

Ganesh M
  • 51
  • 4