0

I'm running a bash script from CloudBuild. The bash script is gonna export DNS record to a file.

gcloud dns record-sets export zonedump-$i.tmp --zone-file-format --project $projectname --zone=$i

The serviceaccount of cloudbuild has roles/dns.reader

I get this error when I run cloudbuild:

ERROR: (gcloud.dns.record-sets.export) HTTPError 403: Forbidden
Finished Step #3
ERROR
ERROR: build step 3 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1

cloudbuild.yaml

steps:
- name: 'bash'
  args: ['echo', 'Backing up DNS zone to Storage!']
- name: 'bash'
  args: ['ls']
- name: 'bash'
  args: ['chmod', '+x', 'scripts/dnszone_backup.bash']
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
  entrypoint: "bash"
  args:
    - "-c"
    - |
      echo "calling script"
      ls -la
      gcloud version
      scripts/dnszone_backup.bash

I would appreciate if someone can help me with this.

Matrix
  • 2,399
  • 5
  • 28
  • 53
  • I suspect `gcloud` is not authenticated. `gcloud dns record-sets export` is the only command that requires authentication but I think any other would fail too. Perhaps try removing `scripts/dnszone_backup.bash`, that should then work. Then try adding `gcloud auth list` or `gcloud projects list` or some other command requiring auth. You also show 2 different container images. In the error `gcr.io/cloud-builders/gcloud` but in your script `gcr.io/google.com/cloudsdktool/cloud-sdk`. – DazWilkin Sep 05 '22 at 16:15
  • The [documentation](https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/gcloud) suggests the former uses the Cloud Build Service Account automatically but the latter requires auth. See [Usage](https://github.com/GoogleCloudPlatform/cloud-sdk-docker#usage) – DazWilkin Sep 05 '22 at 16:15

1 Answers1

0

I needed to activate "Cloud Build API".

I found it by testing it via gcloud dns record-sets list and got a clear error message for activating this API.

Matrix
  • 2,399
  • 5
  • 28
  • 53