Search code examples
google-cloud-runservice-accountsgoogle-iam

User manage Service Account to deploy CloudRun instance

I need your help please. I am not able to find out what I am missing. I created user managed SA and provided roles

roles/run.admin 
roles/iam.serviceAccountUser

enter image description here

but somehow I am not able to see it when creating service:

enter image description here

I also added impersonation to default compute SA.

enter image description here

I am pushing changes via terraform:

resource "google_service_account" "sa-deployer" {
  project      = local.project_id
  account_id   = "${local.env}-sa-deployer-tf"
  display_name = "Service Account to deploy CloudRun instance"
}

resource "google_service_account_iam_member" "gce-default-account-iam" {
  service_account_id = data.google_compute_default_service_account.default.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.sa-deployer.email}"

  depends_on = [
    google_service_account.sa-deployer
  ]
}

resource "google_project_iam_binding" "sa-deployer-run-admin" {
  project = local.project_id
  role    = "roles/run.admin"

  members = [
    "serviceAccount:${google_service_account.sa-deployer.email}",
  ]

  depends_on = [
    google_service_account.sa-deployer
  ]
}

resource "google_project_iam_binding" "sa-deployer-build-admin" {
  project = local.project_id
  role    = "roles/cloudbuild.builds.builder"

  members = [
    "serviceAccount:${google_service_account.sa-deployer.email}",
  ]

  depends_on = [
    google_service_account.sa-deployer
  ]
}
Solution

  • The current user must be serviceAccountUser to be able to list the service account on the project.