15

I am the owner of a project and want to give Permissions to another user to view Logs of Google Cloud Build, but I can not figure out which Role / Permission this user needs.

enter image description here

Roles I've unsuccessfully tried are: Cloud Build Editor, Cloud Build Viewer, Stackdriver Debugger Agent, Stackdriver Debugger User, Cloud Trace Admin, Logging Admin, Private Logs Viewer, Logs Viewer, Monitoring Admin

Lyubomir
  • 19,615
  • 6
  • 55
  • 69
  • There is something missing to your problem. Viewer, Logs Viewer and Private Logs Viewer provide the necessary permissions. Logs Viewer is the correct role to add to the user. Give the user Logs Viewer. Can the user then go to Stackdriver and see the logs for Cloud Build directly? – John Hanley May 29 '19 at 14:22
  • I'm stumped by this too. Users can see the build log output in Stackdriver but not in the build details. The download link also throws a 403 Forbidden. – taisph Jul 03 '19 at 13:38
  • maybe Gcloud bug? I haven't resolved it as well ;( – Lyubomir Jul 03 '19 at 13:40
  • Try this: `gsutil iam ch user:mail@example.com:objectViewer gs://.cloudbuild-logs.googleusercontent.com` – taisph Jul 03 '19 at 14:12
  • did it work out for you? I will try these days, cause now our setup is a bit different – Lyubomir Jul 03 '19 at 14:40
  • It was just a hunch as that's the bucket that Cloud Build puts logs in by default. I found out I could access the bucket and see the logs through https://console.cloud.google.com/storage/browser/project-number.cloudbuild-logs.googleusercontent.com?project=project-id so I was hoping granting objectview access to the bucket would allow the user to see those logs. Doesn't seem like I'm allowed to do that though. – taisph Jul 04 '19 at 07:36

2 Answers2

20

Google Cloud enterprise support confirmed to me that the only role that currently grants this is the project-level Viewer permission (or Editor/Owner).

One workaround is to set the --gcs-log-dir flag when submitting a build to a bucket you control (rather than the default Google-managed gs://[PROJECT_NUMBER].cloudbuild-logs.googleusercontent.com/ bucket).

They're tracking making a more granular permission in this feature request: https://issuetracker.google.com/issues/134928412, which you can subscribe to updates on.

Sophie Alpert
  • 139,698
  • 36
  • 220
  • 238
1

If you add the project viewer role then this will resolve the issue. But, it seems like this is an issue (or maybe a feature request - to add the necessary permission to the Logs Viewer so that logs outside of the Stackdriver logging page can be viewed in other UIs as well), looking at the documentation it says "roles/viewer (Project Viewer) gives members the same permissions as roles/logging.viewer at the project level. " which means that by just assigning the Logs Viewer then it should have given the user the necessary permission to view the logs at the Cloud Build UI.

Christopher
  • 895
  • 6
  • 15