2

When I try to deploy my docker image on cloud run with the command:

gcloud run deploy --image $MULTI_REGION/$PROJECT/$IMAGE --memory $MEMORY --region $REGION --env-vars-file .env.yaml

I got the error message :

Deploying container to Cloud Run service [image-name] in project [wagon-bootcamp-352706] region [europe-west1]
X Deploying new service...                                                                                                                                                                                 
  . Creating Revision...                                                                                                                                                                                   
  . Routing traffic...                                                                                                                                                                                     
  . Setting IAM Policy...                                                                                                                                                                                  
Deployment failed                                                                                                                                                                                          
ERROR: (gcloud.run.deploy) User [demange.louis@hotmail.fr] does not have permission to access namespaces instance [wagon-bootcamp-352706] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account 942802053669-compute@developer.gserviceaccount.com (or it may not exist).

To check the permissions of the project, I use gcloud projects get-iam-policy wagon-bootcamp-352706:

bindings:
- members:
  - serviceAccount:service-942802053669@gcp-sa-artifactregistry.iam.gserviceaccount.com
  role: roles/artifactregistry.serviceAgent
- members:
  - serviceAccount:service-942802053669@containerregistry.iam.gserviceaccount.com
  role: roles/containerregistry.ServiceAgent
- members:
  - user:demange.louis@hotmail.fr
  role: roles/iam.serviceAccountUser
- members:
  - serviceAccount:service-942802053669@cloud-ml.google.com.iam.gserviceaccount.com
  role: roles/ml.serviceAgent
- members:
  - user:demange.louis@hotmail.fr
  role: roles/owner
- members:
  - serviceAccount:service-942802053669@gcp-sa-pubsub.iam.gserviceaccount.com
  role: roles/pubsub.serviceAgent
- members:
  - serviceAccount:service-942802053669@serverless-robot-prod.iam.gserviceaccount.com
  role: roles/run.serviceAgent
- members:
  - user:demange.louis@hotmail.fr
  role: roles/storage.admin
- members:
  - user:demange.louis@hotmail.fr
  role: roles/storage.objectAdmin
- members:
  - user:demange.louis@hotmail.fr
  role: roles/storage.objectCreator

I also checked that the project 'wagon-bootcamp-352706' was the good one.

I also checked in container registry that my image 'image-name' was well pushed : image-name eu.gcr.io Private

As a conclusion, permissions should be effective, no problem with the previous push, no problem with the project name. The only thing which remains unclear is this 'account 942802053669-compute@developer.gserviceaccount.com' which is mentioned in the error message, it does not belong to me and I don't know what it is. Does someone have an idea of the problem ? Thanks in advance.

Best regards,

Louis Demange

Puteri
  • 3,348
  • 4
  • 12
  • 27
Louis Demange
  • 25
  • 5
  • Edit your question and show the roles that are assigned to your identity. The error message states that your identity does not have `actAs` for the service account `942802053669-compute@developer.gserviceaccount.com`. Use this command to get the IAM policy for the service account: `gcloud iam service-accounts get-iam-policy SERVICE_ACCOUNT`. – John Hanley Aug 11 '22 at 18:59
  • Link to the command docs: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/get-iam-policy – John Hanley Aug 11 '22 at 19:01
  • I updated the question, my user account demande.louis@hotmail.fr looks to have all the permissions that it needs.. – Louis Demange Aug 11 '22 at 19:30
  • Please use the command in my comment. Reference to my answer on how to add the role correctly. https://stackoverflow.com/a/61336174/8016720 – John Hanley Aug 11 '22 at 19:36
  • @LouisDemange do not expose explicitly your mail. Please edit your question and comment to hide it – Puteri Aug 11 '22 at 19:49

1 Answers1

4

The issue is that the Service Account 942802053669-compute@developer.gserviceaccount.com does not exist because the Compute Engine API has not been enabled (maybe) or you have deleted it.

You have two options:

  1. Enable the Compute Engine API by going for example to Compute Engine section.
  2. If you deleted the Compute Engine default SA you can recover it (if it was deleted at most 30 days ago) or use another Service Account that exists to be used with Cloud Run.
Puteri
  • 3,348
  • 4
  • 12
  • 27
  • Yes I admit that I deleted the '942802053669-compute@developer.gserviceaccount.com' account on google cloud because I didn't know what it corresponded to. It appeared, without I know how in the google cloud plateform and now it appears automatically in the output of the command. Thanks you very much for your answer but if you have any idea about what this account corresponds to, it would be very useful to take the best decision. – Louis Demange Aug 11 '22 at 19:58
  • @LouisDemange Is the default Compute Engine Service Account https://cloud.google.com/compute/docs/access/service-accounts#default_service_account – Puteri Aug 11 '22 at 20:00
  • Thanks you very much, I recovered the 942802053669-compute@developer.gserviceaccount.com and I could deploy my docker image. :D – Louis Demange Aug 15 '22 at 18:14
  • @LouisDemange Nice. If the answer was helpful , you can accept it to help others – Puteri Aug 15 '22 at 18:25
  • 1
    And sometimes you need _both_ options. Oops. – Brian White Feb 06 '23 at 03:02