5

I am trying to deploy a cloud function via gitlab using a new service account (Not using default service account). It has the cloud functions developer role but it is still failing with below error:

The error below includes a user as cloud-functions-mixer. I haven't configured anything like that in my repo and not sure why it is coming up.

First of all, running the suggested command doesn't even work because the suggested syntax is bad . I have tried running the below command but it’s not right

Error: googleapi: Error 403: Missing necessary permission iam.serviceAccounts.actAs for cloud-functions-mixer on the service account [email protected]. Grant the role 'roles/iam.serviceAccountUser' to cloud-functions-mixer on the service account [email protected]. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding [email protected] --member=cloud-functions-mixer --role=roles/iam.serviceAccountUser'.

Improve this question
3
  • Is there a reason why you're not doing what the error tells you to do? Or what are you asking at all?
    – James Z
    Commented Apr 12, 2022 at 10:48
  • Yea I tried executing the command but cloud-functions-mixer is a user unknown to me. Is it a some user in cloud function ?
    – jarvis_max
    Commented Apr 12, 2022 at 11:06
  • Please try to re-deploy because the permissions "iam.serviceAccounts.actAs" which is missing as per error will be automatically granted this permission after the service account creation. Please refer to the documentation cloud.google.com/functions/docs/securing/…
    – Monali Ghotekar
    Commented Apr 14, 2022 at 13:38

1 Answer 1

Reset to default
18

Google's instructions about the cloud-functions-mixer are wrong. What you actually need to do is replace the string cloud-functions-mixer with the name of the service account that is building or deploying your function.

The following user-defined service accounts will be used in an example:

The command to run is:

gcloud iam service-accounts add-iam-policy-binding 
  [email protected] 
   --member=serviceAccount:[email protected] 
    --role=roles/iam.serviceAccountUser

Docs

Or, in Terraform, you would need a resource like this:

resource "google_service_account_iam_member" "opentok_webhook_mixer" {
  service_account_id = google_service_account.my_cloud_function.id
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.build_service_account.email}"
}

You'll have to update the names of the service account resources.

This approach also works for Google Cloud Build.

Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.