Fix SA changes

Author: Yesh

cicd-mcp-server/cloudbuild/cloudbuild.go

@@ -140,7 +140,6 @@ func setPermissionsForCloudBuildSA(ctx context.Context, projectID, serviceAccoun
 		"roles/run.developer",
 		"roles/serviceusage.serviceUsageConsumer",
 		"roles/storage.admin",
-		"roles/iam.serviceAccountUser",
 	}
 	for _, r := range gcbSARoles {
 		_, err := iamClient.AddIAMRoleBinding(ctx, fmt.Sprintf("projects/%s", projectID), r, resolvedSA)
@@ -174,6 +173,12 @@ func setPermissionsForCloudBuildSA(ctx context.Context, projectID, serviceAccoun
 		}
 	}
 
+	// 4. Grant the cloud build SA permissions to impersonate our p4sa.
+	_, err = iamClient.AddIAMRoleBinding(ctx, resolvedSA, "roles/iam.serviceAccountUser", gcbP4sa)
+	if err != nil {
+		return "", fmt.Errorf("unable to add iam.serviceAccountUser role to Cloud Build P4SA %s on SA %s err: %w", gcbP4sa, resolvedSA, err)
+	}
+
 	return resolvedSA, nil
 }