16

Assume I have a cloudbuild.yaml file like the one below. Also assume that I can run and deploy the container in question manually when using gcloud for the separate functionalities (building and running).

When deploying, the third step is resulting in the error ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission

steps:
# Build the container image
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA', '.']
# Push the image to Container Registry
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA']
# Deploy image to Cloud Run
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - 'run'
  - 'deploy'
  - '[SERVICE_NAME]'
  - '--image'
  - 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA'
  - '--region'
  - '[REGION]'
  - '--platform'
  - 'managed'
images:
- gcr.io/[PROJECT_ID]/[IMAGE]
derekbaker783
  • 8,109
  • 4
  • 36
  • 50

6 Answers6

33

See the docs at:

https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#before_you_begin


You need to follow the steps available there:

  1. Grant the Cloud Run Admin role to the Cloud Build service account:

    • In the Cloud Console, go to the Cloud Build Settings page:

    • Open the Settings page

    • Locate the row with the Cloud Run Admin role and set its Status to ENABLED.

    • In the Additional steps may be required pop-up, click Skip.

  2. Grant the IAM Service Account User role to the Cloud Build service account on the Cloud Run runtime service account:

    • In the Cloud Console, go to the Service Accounts page:

    • Open the Service Accounts page

    • In the list of members, locate and select [PROJECT_NUMBER]-compute@developer.gserviceaccount.com. This is the Cloud Run runtime service account.

    • Click SHOW INFO PANEL in the top right corner.

    • In the Permissions panel, click the Add Member button.

    • In the New member field, enter the email address of the Cloud Build service account. This is of the form [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. Note: The email address of Cloud Build service account is different from that of Cloud Run runtime service account.

    • In the Role dropdown, select Service Accounts, and then Service Account User.

    • Click Save.

In my case, the @cloudbuild account wasn't showing up in the IAM suggestions in step 2, but if you perform step 1, and run your build, the error message will change to something similar to the redacted message below, which contains the account you need.

ERROR: (gcloud.run.deploy) User [<SOME_NUMBER_HERE>@cloudbuild.gserviceaccount.com] does not have permission to access namespace [<YOUR_PROJECT_ID>] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account <SOME_OTHER_NUMBER_HERE>-compute@developer.gserviceaccount.com (or it may not exist).
derekbaker783
  • 8,109
  • 4
  • 36
  • 50
  • 4
    This is correct. Tldr: Basically the “deployer” (in this case cloudbuild service account) MUST have “Act as” permission on the service account that the Cloud Run app being deployed will use (to prevent privilege escalation). – ahmet alp balkan Jul 07 '20 at 22:37
  • 1
    Anyone happen to know how to do this on the command line using `gcloud`? – Trevor Apr 26 '21 at 22:35
  • 2
    @Trevor I think this works: gcloud run services add-iam-policy-binding [CLOUD_RUN_SERVICE_NAME] \ --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT EMAIL] \ --role=roles/run.admin \ gcloud iam service-accounts add-iam-policy-binding [SERVICE ACCOUNT THAT CLOUD RUN RUNS AS] \ --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT] \ --role roles/iam.serviceAccountUser --project=$PROJECT \ --region=$REGION – Joe Edgar Jun 11 '21 at 17:35
  • 1
    this was so helpful, just want to say thanks! – hzhang Jul 13 '21 at 14:09
  • 1
    Worked for me. I only followed step one and it appears to have fixed my problem. – wandesky Oct 31 '21 at 10:55
5

I'm using Firebase Functions to deploy a new Cloud Run instance via Cloud Build so I had to also add Cloud Build Service Account permission to my service account used in my functions (in addition to following @derekbaker783's answer)

enter image description here

cormacncheese
  • 1,251
  • 1
  • 13
  • 27
4

To do this via the gcloud CLI:

gcloud run services add-iam-policy-binding [CLOUD_RUN_SERVICE_NAME] \ 
  --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT EMAIL] \
  --role=roles/run.admin \
  --project=$PROJECT \
  --region=$REGION
gcloud iam service-accounts add-iam-policy-binding [SERVICE ACCOUNT THAT CLOUD RUN RUNS AS] \
  --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT] \
  --role roles/iam.serviceAccountUser
  --project=$PROJECT \
  --region=$REGION
Joe Edgar
  • 872
  • 5
  • 13
0

in case you verify your service accounts/roles and everything seems fine, you can initilize gcloud sdk also, in my case i was dealing with that error cause after i installed gcloud sdk and logged in but never initialized it so the options like project, account/service-account, etc. were not set properly after i ran gcloud init command and set every option it started to work.

Pavul Zavala
  • 427
  • 5
  • 11
0

Note that if your deploy step references other services (for instance, my cloudbuild.yaml copies DAGs and data to Google Cloud Composer), you'll need to grant the relevant roles to [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com as well--in my case, that was the Composer Worker role.

Grayson
  • 63
  • 1
  • 9
0

I was getting:

ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account *** (or it may not exist).

In my case, since I was using GitHub Actions to deploy it, I had to add Cloud Deploy Service Agent as a role to my Service Account for it to work.

GitHub Action Workflow

Leonardo Barbosa
  • 1,258
  • 8
  • 13