问题
I am trying to deploy a service with a non-default service account by following this guide and it says I need "the iam.serviceAccounts.actAs permission on the service account being deployed". The service account I am using is @cloudbuild.gserviceaccount.com, but I don't see the option to add it on my project's Permissions page.
回答1:
The key point is that the service account is a resource. You need to add an IAM role for your identity to the service account (the resource). This grants you permissions on the resource (service account).
Open the Google Cloud Console. Go to IAM & Admin -> Service accounts.
Find the service account. Tick the box to the left of the service account.
In the right-hand "Permissions" panel, click ADD MEMBER
Add your IAM member email address. For the role select Service Accounts -> Service Account User.
Click Save
You can also you the CLI:
gcloud iam service-accounts add-iam-policy-binding [SERVICE_ACCOUNT] --member [MEMBER_EMAIL] --role roles/iam.serviceAccountUser
gcloud iam service-accounts add-iam-policy-binding
来源:https://stackoverflow.com/questions/61334524/how-do-you-enable-iam-serviceaccounts-actas-permissions-on-a-sevice-account