When developers preview and deploy applications, they can use an existing service account, or App Design Center can automatically create a new service account. If you want developers to use your service account, you must do the following:
- Add IAM policy bindings to the service account and user account.
- Grant the service account the roles required to deploy each resource.
- Add permissions to the service account to deploy outside of the project where the service account was created.
- Update your organization policies to allow service accounts to be used across projects.
To configure your service accounts, do the following:
Add an IAM policy binding for the role of
roles/iam.serviceAccountUserrole for the service agent to your service account:gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \ --member="serviceAccount:service-SERVICE_ACCOUNT_PROJECT_ID@gcp-sa-designcenter.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser"Replace the following:
SERVICE_ACCOUNT_EMAIL: Your service account email.SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
Add an IAM policy binding for the role of
roles/iam.serviceAccountUserfor a user to your service account:gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \ --member="user:USER_EMAIL" \ --role="roles/iam.serviceAccountUser"Replace the following:
SERVICE_ACCOUNT_EMAIL: Your service account email.USER_EMAIL: The user email for the user who performs the deployment.
In the project that has your service account, add IAM policy bindings for the required service agent roles on the management project that contains your space:
gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \ --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \ --role="roles/apphub.editor"gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \ --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \ --role="roles/config.agent"gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \ --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \ --role="roles/serviceusage.ServiceUsageAdmin"Replace the following:
SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.MANAGEMENT_PROJECT_NUMBER: The project number of the management project that contains your space.
In the project that has your service account, ensure that the
iam.disableCrossProjectServiceAccountUsageorganization policy constraint is not enforced. This constraint is enforced by default.To disable enforcement of the organization policy constraint, run the following command:
gcloud resource-manager org-policies disable-enforce \ iam.disableCrossProjectServiceAccountUsage \ --project=SERVICE_ACCOUNT_PROJECT_IDReplace the following:
SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
Grant your service account the roles required to deploy resources in projects. The required roles are displayed when developers deploy applications.
For example, to grant the
roles/run.adminrole, add the following policy binding:gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \ --member="serviceAccount:service-DEPLOYMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \ --role="roles/run.admin"Replace the following:
SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.DEPLOYMENT_PROJECT_NUMBER: The project number of the project where you're deploying resources.
App Design Center uses Infrastructure Manager to deploy applications in the console. To use your own service account to deploy with Infrastructure Manager, complete the steps in Grant access to projects.
What's next
- Understand the lifecycle of applications in Manage applications.
- Deploy an application from the console.