use different service account for build

mdunker · mdunker · commit 61a1202087d3 · 2025-09-05T13:48:24.000-07:00
diff --git a/quests/develop-apis-apigee/rest-backend/deploy.sh b/quests/develop-apis-apigee/rest-backend/deploy.sh
@@ -23,6 +23,7 @@ gcloud artifacts repositories create ${REPOSITORY_NAME} --repository-format=dock
 # build image from code
 echo "*** submit build of service ${SERVICE_NAME} to Cloud Build ***"
 gcloud builds submit --tag ${CLOUDRUN_REGION}-docker.pkg.dev/${GOOGLE_PROJECT_ID}/${REPOSITORY_NAME}/${SERVICE_NAME} \
+  --service-account=${SVCACCT_EMAIL} \
   --project=${GOOGLE_PROJECT_ID}
 
 # deploy service
diff --git a/quests/develop-apis-apigee/rest-backend/init-service.sh b/quests/develop-apis-apigee/rest-backend/init-service.sh
@@ -10,6 +10,7 @@ fi
 export SVCACCT_NAME="simplebank-rest"
 export SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
 export SVCACCT_ROLE="roles/datastore.user"
+export SVCACCT_ROLE2="cloudbuild.builds.builder"
 
 # create service account for Cloud Run service
 echo "*** creating Cloud Run service account: ${SVCACCT_EMAIL} ***"
@@ -22,3 +23,9 @@ echo "*** adding role ${SVCACCT_ROLE} for Firestore access ***"
 gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT_ID} \
   --member="serviceAccount:${SVCACCT_EMAIL}" \
   --role=${SVCACCT_ROLE}
+
+# add permission to access Cloud Build
+echo "*** adding role ${SVCACCT_ROLE} for Firestore access ***"
+gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT_ID} \
+  --member="serviceAccount:${SVCACCT_EMAIL}" \
+  --role=${SVCACCT_ROLE2}
