Cloud Build + Cloud Run Errors

When deploying my newly jibized application to Google Cloud Run via Google Cloud Build I was plagued with a seemingly simple error that took me much longer to figure out than it should have.

ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission

I wasn't getting the error when using the cloud-build-local CLI command.  So, being the simple genius I am, surmized it must be a permission issue on the agent running the task. 

The first thing I did was go into IAM, find the ${ProjectId}@cloudbuild.gserviceaccount.com service account and give it the Cloud Run Admin role.  Easy enough, rerun and it will work.....

Or, in my case, get a new error:

Starting Step #2
Step #2: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #2: Deploying container to Cloud Run service [catalog-service-jib] in project [my-project-name] region [us-east1]
Step #2: Deploying...
Step #2: failed
Step #2: Deployment failed
Step #2: ERROR: gcloud crashed (KeyError): u'details'
Step #2: 
Step #2: If you would like to report this issue, please run the following command:
Step #2: gcloud feedback
Step #2: 
Step #2: To check gcloud for common problems, please run the following command:
Step #2: gcloud info --run-diagnostics
Finished Step #2
ERROR
ERROR: build step 2 "gcr.io/cloud-builders/gcloud" failed: exit status 1

From this I can assume that I got the right user as I got a new error....But it doesn't solve my actual problem of not being able to deploy my app via Cloud Build.

Playing around, taking some wild guesses, screwing up some permissions I decided to finally succomb and ask the Google Machine what was going on.  Within a few click I had track down the missing role: Service Account User - Which even after reading still hurt my head but it was a little late, and I was tired.

Adding that magic role allowed my container to deploy and start (and fail do a credentails file I have to inject into mty container but dont want to check in to my repo.....but that's a problem for another time)

Takeaways I want to follow up on:
1. Service Account User Role
2. How to run a command as a specific user - name when I get an error during cloud build how can I run somethng as the cloud build agent account
    - this would be especially helpful if I coudl do this from cloud shell