Skip to main content

FAQ

Authentication Issues

google.auth.exceptions.RefreshError: ('Unable to acquire impersonated credentials', ... "Permission 'iam.serviceAccounts.getAccessToken' denied ...")

Problem:

You are seeing a PERMISSION_DENIED error when the application tries to impersonate a service account. This usually happens when running the application locally or in a new environment for the first time.

The application uses service account impersonation to securely access Google Cloud resources. The identity running the code (your user account or a service account) needs permission to create tokens for the target service account.

Solution:

You need to grant the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) to the principal that is running the code, on the target service account that is being impersonated.

  1. Identify the Target Service Account:

    This is the service account the application is trying to impersonate. It's defined by the PLATFORM_SERVICE_ACCOUNT environment variable in your .env.local file or in your Cloud Run service configuration. It usually looks like smartsre-platform@your-gcp-project.iam.gserviceaccount.com.

  2. Identify the Source Principal:

    This is the identity running the code.

    • If you are running the application locally, this is your user account. You can get your current authenticated user with: 
      gcloud auth list --filter=status:ACTIVE --format='value(account)'
    • If the application is running on Cloud Run, GKE, or a Compute Engine VM, this is the service account associated with that resource.

  3. Grant the Permission:

    Use the following gcloud command to grant the permission.

    • For a user account:

      gcloud iam service-accounts add-iam-policy-binding [TARGET_SERVICE_ACCOUNT] \
          --member="user:[YOUR_USER_EMAIL]" \
          --role="roles/iam.serviceAccountTokenCreator"

      Replace [TARGET_SERVICE_ACCOUNT] and [YOUR_USER_EMAIL] with the correct values.

    • **For a service account:

      gcloud iam service-accounts add-iam-policy-binding [TARGET_SERVICE_ACCOUNT] \
          --member="serviceAccount:[SOURCE_SERVICE_ACCOUNT_EMAIL]" \
          --role="roles/iam.serviceAccountTokenCreator"

      Replace [TARGET_SERVICE_ACCOUNT] and [SOURCE_SERVICE_ACCOUNT_EMAIL] with the correct values.

Example:

If your user is test-user@example.com and the PLATFORM_SERVICE_ACCOUNT is smartsre-platform@my-project.iam.gserviceaccount.com, the command would be:

gcloud iam service-accounts add-iam-policy-binding smartsre-platform@my-project.iam.gserviceaccount.com \
    --member="user:test-user@example.com" \
    --role="roles/iam.serviceAccountTokenCreator"

After granting the permission, the authentication error should be resolved.