Open
Description
Describe the bug
When attempting to deploy an agent using adk deploy cloud_run, the process fails with a PERMISSION_DENIED error. This occurs because the default Cloud Build service account ([PROJECT_NUMBER]@cloudbuild.gserviceaccount.com) lacks the necessary roles/iam.serviceAccountUser IAM permission to act on behalf of other services or manage resources during the deployment to Cloud Run.
To Reproduce
Steps to reproduce the behavior:
- Set up the required environment variables for a Google Cloud Project:
export GOOGLE_CLOUD_PROJECT="your-gcp-project-id" export GOOGLE_CLOUD_LOCATION="your-gcp-region" export AGENT_PATH="./path-to-your-agent-code" # e.g., ./google-search-agent export SERVICE_NAME="your-cloud-run-service-name" # e.g., google-search-agent export APP_NAME="your-app-name" # e.g., google-search-agent-app
- Ensure the Cloud Build API is enabled in the Google Cloud Project.
- Attempt to deploy the agent using the ADK command:
adk deploy cloud_run \ --project=$GOOGLE_CLOUD_PROJECT \ --region=$GOOGLE_CLOUD_LOCATION \ --service_name=$SERVICE_NAME \ --app_name=$APP_NAME \ --with_ui \ $AGENT_PATH
- See error:
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Build failed because the service account [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com is missing required IAM permissions. Please grant [roles/iam.serviceAccountUser] to the service account.(or similar).
Expected behavior
The adk deploy cloud_run command should ideally:
- Successfully complete the deployment without manual IAM intervention if possible.
Screenshots:
Additional context
The issue can be manually resolved by granting the roles/iam.serviceAccountUser to the Cloud Build service account:
gcloud projects add-iam-policy-binding $GOOGLE_CLOUD_PROJECT \
--member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser"