Potential new permission requirement for service accounts

[kletts]

I've just been following the standard setup script using the recommended settings via cr_setup() for a new project on Google Cloud; unfortunately cr_setup_test("plumber") failed with the following error message in the logs for Cloud Build:

"auth cloudrun": ERROR: (gcloud.run.services.add-iam-policy-binding) PERMISSION_DENIED: Permission 'run.services.setIamPolicy' denied on resource

I solved the issue by manually adding 'run.services.setIamPolicy' as Cloud Functions Admin to the roles of the service account.

I'm not sure if it was something I did or if this is a new build requirement from Google's end (I did find a blog post from August of some changes related to Cloud Functions and Cloud Run) or perhaps the role has simply been renamed as cr_setup_role_lookup() seems to include roles with similar looking roles -- perhaps cr_setup_role_lookup() needs to be updated. Unfortunately I don't know enough about the subtleties to make any concrete suggestions.

Thanks for a great package. Christian

[MarkEdmondson1234]

Great thanks, yes looks like an IAM update. I suspect a less permissive role than Cloud Functions Admin will fix it too but glad you got over the blocker.