This document explains how to configure your Cloud Build service account to impersonate service accounts for Runtime, Compute Engine, or App Engine so that you can deploy images to managed services.
Overview
When an image is deployed to specific managed services, the image runs using the identity of the service account for that managed service. Because Cloud Build can deploy new instances or versions automatically, your specified Cloud Build service account or the default Cloud Build service account must be able to impersonate the service account of your managed service. This requirement applies when deploying to the following managed services:
| Managed Service | Service Account |
|---|---|
| App Engine | App Engine service account |
| Cloud Run functions | Runtime service account |
| Cloud Run | Service identity |
| Compute Engine | Compute Engine service account |
Set up service account impersonation
To configure your Cloud Build service account to impersonate another service account, do the following:
console
Go to the settings Cloud Build Permissions page.
Select your Cloud Build service account.
Enable the required IAM role for your managed service:
Managed Service Required Role App Engine App Engine Admin ( roles/appengine.appAdmin)Cloud Run functions Cloud Functions Developer ( roles/cloudfunctions.developer)Cloud Run Cloud Run Admin ( roles/run.admin)Compute Engine Compute Instance Admin v1 ( roles/compute.instanceAdmin.v1)Cloud Build shows the Assign Service Account User Role panel.
Choose a service account to impersonate. For example, if you plan to deploy to Compute Engine and enabled the Compute Instance Admin v1 role, you would choose the Compute Engine service account that you want your Cloud Build service account to impersonate.
Click Grant permission.
gcloud CLI
In the Google Cloud CLI, enter the following:
gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_TO_IMPERSONATE \
--member="CLOUD_BUILD_SERVICE_ACCOUNT" \
--role="roles/iam.serviceAccountUser"
Where:
- SERVICE_ACCOUNT_TO_IMPERSONATE is the service account that you want to impersonate.
- CLOUD_BUILD_SERVICE_ACCOUNT is your Cloud Build service account.
Cloud Build assigns your Cloud Build service account
the Service Account User (roles/iam.serviceAccountUser) role for
the service account that you want to impersonate.
The Service Account User role lets a principal attach a service account to a resource, allowing your Cloud Build service account to impersonate your chosen managed service account. For more information, see Service Account User role and Attach service accounts to resources in the IAM documentation.