failed to upload zip file: Permission 'iam.serviceAccounts.getAccessToken' denied on resource

Question

I want to automatically deploy cloud functions via GitHub Actions

This is my deploy-cloud-functions.yml file

name: Deploy Cloud Functions

on:
  push:
    branches:
      - feat/queue

jobs:
  deploy:
    runs-on: ubuntu-latest

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    - name: Authenticate
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/<number>/locations/global/workloadIdentityPools/<name>/providers/<name>'
        service_account: '[email protected]'

    - name: Deploy Cloud Functions
      uses: google-github-actions/deploy-cloud-functions@v1
      with:
        name: myName
        runtime: nodejs16
        entry_point: myName
        source_dir: ./functions

But it throws me an error during Deploy Cloud Functions step.

Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).

This is the list of permissions I added to my service account

Cloud Functions Service Agent
Service Account OpenID Connect Identity Token Creator
Service Account Token Creator
Service Account User
Workload Identity User

Could you please help me understand what I'm doing wrong?

Answer 1

While creating a service account in the Cloud Console it will create all the services automatically including service accounts. Here when you delete or change the default settings; you may face the issue which Cloud Function which needs iam.serviceAccount.getAccessToken permission. This will generate an access token for the service account to deploy Cloud Functions.

Name: service-<account-id>@test.iam.gserviceaccount.com 
Role: roles/iam.serviceAccountTokenCreator

Also you can add running following command:

Gcloud projects add-iam-policy-binding \

-- member=”serviceAcconut : [email protected]”
-- role=”roles/iam.serviceAccountTokenCreator”

Please check gcloud projects add-iam-policy-binding document.

Please recheck your correct value for ‘Workload_identity_provider’ and if you are still facing any issue you can add additional debugging steps to the GitHub action workflow.

Answer 2

In this case the error message is a red herring. Your service account already has the iam.serviceAccounts.getAccessToken permission via the Workload Identity User role among others.

Check your Workload Identity Provider and corresponding service account policy binding in Google Cloud. Are the GitHub organization and repository names correct?

I once had the exact same error and it was because I had renamed the GitHub repository and forgot to update the name of the principalSet in the policy binding.