You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey, I wonder why the instructions suggest giving the service account "owner" on the project. That is very unsafe and is excessive.
I actually got this working without any permissions at all - as far as I can tell the service account just needs to be added in Play Store to have permissions to publish the app, but on GCP IAM level no permissions are required. Maybe that is for features I'm not using?
I would recommend updating the README to not ask people to just give such broad permissions to the account. Happy to send a PR if you agree.
Additionally I would highlight the fact no secret json is required and workload identity can be used: #146 (comment)
The text was updated successfully, but these errors were encountered:
I'm using Workload identity authentication flow* and getting this error:
Creating a new Edit for this release
Error: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).
I could not figure out what to add for the last step
I tried 3.iv. granting permissions to "Release to production", then I even tried giving the service account Admin permissions, but the same error persists. Is it still working on your end? Or is it due to the last step?
EDIT: Fixed by going to GCP's Workload Identity Federation - Workload Identity Pools - pool details - Grant Access and added the service account there.
Hey, I wonder why the instructions suggest giving the service account "owner" on the project. That is very unsafe and is excessive.
I actually got this working without any permissions at all - as far as I can tell the service account just needs to be added in Play Store to have permissions to publish the app, but on GCP IAM level no permissions are required. Maybe that is for features I'm not using?
I would recommend updating the README to not ask people to just give such broad permissions to the account. Happy to send a PR if you agree.
Additionally I would highlight the fact no secret json is required and workload identity can be used: #146 (comment)
The text was updated successfully, but these errors were encountered: