Grant roles to your service account

Stay organized with collections Save and categorize content based on your preferences.

When developers preview and deploy applications, they can use an existing service account, or a new service account can be automatically created. If you want developers to use your service account, you must do the following:

• Add IAM policy bindings to the service account and user account.
• Grant the service account the roles required to deploy each resource.
• Add permissions to the service account to deploy outside of the project where the service account was created.

To grant the required roles to service accounts, add the following IAM policy bindings to the service account:

1. Add an IAM policy binding for the role of roles/iam.serviceAccountUserrole for the service agent to your service account:

   gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
       --member="serviceAccount:service-SERVICE_ACCOUNT_PROJECT_ID@gcp-sa-designcenter.iam.gserviceaccount.com" \
       --role="roles/iam.serviceAccountUser"
   

   Replace the following:

   • SERVICE_ACCOUNT_EMAIL: Your service account email.
   • SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.

2. Add an IAM policy binding for the role of roles/iam.serviceAccountUser for a user to your service account:

   gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
       --member="user:USER_EMAIL" \
       --role="roles/iam.serviceAccountUser"
   

   Replace the following:

   • SERVICE_ACCOUNT_EMAIL: Your service account email.
   • USER_EMAIL: The user email for the user who performs the deployment.

3. In the project that has your service account, add IAM policy bindings for the required service agent roles on the management project that contains your space:

   gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
       --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
       --role="roles/apphub.editor"
   

   gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
       --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
       --role="roles/config.agent"
   

   gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
       --member="serviceAccount:service-MANAGEMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
       --role="roles/serviceusage.ServiceUsageAdmin"
   

   Replace the following:

   • SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
   • MANAGEMENT_PROJECT_NUMBER: The project number of the management project that contains your space.

4. Grant your service account the roles required to deploy resources in projects. The required roles are displayed when developers deploy applications.

   For example, to grant the roles/run.admin role, add the following policy binding:

   gcloud projects add-iam-policy-binding SERVICE_ACCOUNT_PROJECT_ID \
       --member="serviceAccount:service-DEPLOYMENT_PROJECT_NUMBER@gcp-sa-designcenter.iam.gserviceaccount.com" \
       --role="roles/run.admin"
   

   Replace the following:

   • SERVICE_ACCOUNT_PROJECT_ID: The project ID of the project that contains your service account.
   • DEPLOYMENT_PROJECT_NUMBER: The project number of the project where you're deploying resources.

5. App Design Center uses Infrastructure Manager to deploy applications in the console. To use your own service account to deploy with Infrastructure Manager, complete the steps in Grant access to projects.

What's next

• Manage applications
• Deploy an application from the console