I have service account example@project-a.

In project-b, I have cloud run job example, for which I have granted resource level IAM binding:

gcloud run jobs get-iam-policy --project project-b example

bindings:
- members:
  - serviceAccount:[email protected]
  role: roles/run.developer

Prior to August 5, the following worked:

gcloud run jobs update example
    --region=example-region
    --project=project-b
    --image=example-image

Then suddenly, the deploy stopped working. I have not changed anything.

ERROR: (gcloud.run.jobs.update) PERMISSION_DENIED: Permission 'run.jobs.update' denied on resource (or it may not exist). 
This command is authenticated as [email protected]

Same error exists with both gcloud cli v486 and v484.

And also, I have a pre-production project project-c, where an identical deploy still works.

I have verified that seemingly there is no org level or folder level policy, which should interfere deploy.

Also, running gcloud policy-troubleshoot iam --project project-b //run.googleapis.com/projects/project-b/locations/example-region/jobs/example [email protected] --permission=run.jobs.update tells me:

- access: GRANTED
  bindingExplanations:
  - access: GRANTED
    memberships:
      serviceAccount:[email protected]:
        membership: MEMBERSHIP_INCLUDED
        relevance: HIGH
    relevance: HIGH
    role: roles/run.developer
    rolePermission: ROLE_PERMISSION_INCLUDED
    rolePermissionRelevance: HIGH