I'm getting a permission error when trying to deploy an image to cloud run:
gcloud beta run deploy endpoints_proxy \
--image="gcr.io/endpoints-release/endpoints-runtime-serverless:1.30.0" \
--allow-unauthenticated
This is the error:
ERROR: (gcloud.beta.run.deploy) User [email-goes-here] does not have permission to access namespace [project-id-goes-here] (or it may not exist): Cloud Run does not have permission to get access tokens for the default compute service account, 1088973916567-compute@developer.gserviceaccount.com. Please give Google Cloud Run Service Agent the permission iam.serviceAccounts.getAccessToken on the default compute service account.
My account has owner and editor permissions, I even tried attaching the Cloud Run Service Agent role.
I also tried adding these roles to the "default compute service account" listed in the error, didn't work.
The error message is very misleading, the error occurs because the Cloud Run Service Agent was missing.
After creating the following service account:
Name: service-<account-id>@serverless-robot-prod.iam.gserviceaccount.com
Role: Google Cloud Run Service Agent
The problem got solved. Looks like Cloud Run needs this service account to work, so don't ever delete it :)