Configure Cloud Build service account impersonation for managed services

This document explains how to configure your Cloud Build service account to impersonate service accounts for Runtime, Compute Engine, or App Engine so that you can deploy images to managed services.

Overview

When an image is deployed to specific managed services, the image runs using the identity of the service account for that managed service. Because Cloud Build can deploy new instances or versions automatically, your specified Cloud Build service account or the default Cloud Build service account must be able to impersonate the service account of your managed service. This requirement applies when deploying to the following managed services:

Managed Service Service Account
App Engine App Engine service account
Cloud Run functions Runtime service account
Cloud Run Service identity
Compute Engine Compute Engine service account

Set up service account impersonation

To configure your Cloud Build service account to impersonate another service account, do the following:

console

  1. Go to the Cloud Build Permissions page.

  2. Select your Cloud Build service account.

  3. Enable the required IAM role for your managed service:

    Managed Service Required Role
    App Engine App Engine Admin ( roles/appengine.appAdmin )
    Cloud Run functions Cloud Functions Developer ( roles/cloudfunctions.developer )
    Cloud Run Cloud Run Admin ( roles/run.admin )
    Compute Engine Compute Instance Admin v1 ( roles/compute.instanceAdmin.v1 )

    Cloud Build shows the Assign Service Account User Role panel.

  4. Choose a service account to impersonate. For example, if you plan to deploy to Compute Engine and enabled the Compute Instance Admin v1 role, you would choose the Compute Engine service account that you want your Cloud Build service account to impersonate.

  5. Click Grant permission.

gcloud CLI

In the Google Cloud CLI, enter the following:

  gcloud iam service-accounts add-iam-policy-binding \
        SERVICE_ACCOUNT_TO_IMPERSONATE \
        --member="CLOUD_BUILD_SERVICE_ACCOUNT" \
        --role="roles/iam.serviceAccountUser"

Where:

  • SERVICE_ACCOUNT_TO_IMPERSONATE is the service account that you want to impersonate.
  • CLOUD_BUILD_SERVICE_ACCOUNT is your Cloud Build service account.

Cloud Build assigns your Cloud Build service account the Service Account User (roles/iam.serviceAccountUser) role for the service account that you want to impersonate.

The Service Account User role lets a principal attach a service account to a resource, allowing your Cloud Build service account to impersonate your chosen managed service account. For more information, see Service Account User role and Attach service accounts to resources in the IAM documentation.