When deploying a 2nd gen environment GCP function the service account keeps reverting back to the default '[email protected]'service account despite me selecting a custom one that has been created for this function specifically. How do I prevent this from happening? I don't want to use the default as the chosen service account to run the function.
Runtime service account setting
I've tried creating multiple different functions, changing the trigger type, all with the same result.
Looking at the error message you supplied, the message is NOT related to the service account that the Cloud Function will run as ... but is instead related to the service account used to build the image that will be used at runtime. When you use Cloud Functions (Gen2), a Docker image is built (behind the scenes) that contains your Cloud Function implementation. At runtime, this image is used to create containers that execute. When you deploy your Cloud Function, a service called Cloud Build is used to build the container. Cloud Build needs credentials in order to run. There is a default service account used for that purpose. It appears that in your environment, the default service account has been disabled (likely by your admin for security purposes). As such, when you try and deploy your Cloud Function, it can't build and hence can't deploy. This is very distinct from the service account your supplied as the service account that the function should eventually run as.
The solution is to deploy your Cloud Function by explicitly passing in a service account that has permissions to use Cloud Build. This story is fully documented here. Assuming your environment is locked down by your administrator, you will likely have to have a conversation with them, show them this post and tell them what you are hoping to achieve. They will likely create a service account for your/team, use and then you can plug it into the gcloud command for deployment of the function.
