Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Excessive permissions recommended? #224

Closed
lacop11 opened this issue Jun 21, 2024 · 3 comments · Fixed by #225
Closed

Excessive permissions recommended? #224

lacop11 opened this issue Jun 21, 2024 · 3 comments · Fixed by #225
Assignees
Labels
bug Something isn't working

Comments

@lacop11
Copy link
Contributor

lacop11 commented Jun 21, 2024

Hey, I wonder why the instructions suggest giving the service account "owner" on the project. That is very unsafe and is excessive.

I actually got this working without any permissions at all - as far as I can tell the service account just needs to be added in Play Store to have permissions to publish the app, but on GCP IAM level no permissions are required. Maybe that is for features I'm not using?

I would recommend updating the README to not ask people to just give such broad permissions to the account. Happy to send a PR if you agree.

Additionally I would highlight the fact no secret json is required and workload identity can be used: #146 (comment)

@lacop11 lacop11 added the bug Something isn't working label Jun 21, 2024
@boswelja
Copy link
Collaborator

Seems reasonable, as long as we are 100% sure it works fine without

@lacop11
Copy link
Contributor Author

lacop11 commented Jun 24, 2024

Work without problems in my testing, and the API docs only ask you to give the service account permissions within Google Play Console, not in GCP: https://developers.google.com/android-publisher/getting_started#service-account

@albnok
Copy link

albnok commented Feb 10, 2025

I'm using Workload identity authentication flow* and getting this error:

Creating a new Edit for this release
Error: Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).

I tried 3.iv. granting permissions to "Release to production", then I even tried giving the service account Admin permissions, but the same error persists. Is it still working on your end? Or is it due to the last step?

EDIT: Fixed by going to GCP's Workload Identity Federation - Workload Identity Pools - pool details - Grant Access and added the service account there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants