0

I am new in Python. I am deploying Python code to Google Cloud Run and I am getting an error.

Here is the terminal:

Deploying from source. To deploy a container use [--image]. See https://cloud.google.com/run/docs/deploying-source-code for more details.
Source code location (/Users/name/......):  
Next time, use `gcloud run deploy --source .` to deploy the current directory.

Service name (google-cloud-run):  
Please specify a region:
 [1] asia-east1
 ......
Please enter your numeric choice:  27

To make this the default region, run `gcloud config set run/region us-central1`.

This command is equivalent to running `gcloud builds submit --tag [IMAGE] /Users/name/......` and `gcloud run deploy google-cloud-run --image [IMAGE]`

Allow unauthenticated invocations to [google-cloud-run] (y/N)?  y

Building using Dockerfile and deploying container to Cloud Run service [google-cloud-run] in project [project-id] region [us-central1]
X Building and deploying new service... Building Container.                                                                                    
  ✓ Uploading sources...                                                                                                                       
  - Building Container... Logs are available at [https://console.cloud.google.com/cloud-build/builds/bdaf9cea-3e87-46e4-81f8-33b2675808f8?proje
  ct=1044629281917].                                                                                                                           
  . Creating Revision...                                                                                                                       
  . Routing traffic...                                                                                                                         
  . Setting IAM Policy...                                                                                                                      
Deployment failed                                                                                                                              
ERROR: (gcloud.run.deploy) Build failed; check build logs for details

It looks like it fails in the build container.

When I check my logs, the error is: denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-central1/repositories/cloud-run-source-deploy" (or it may not exist).

My code:

import os

from flask import Flask

app = Flask(__name__)


@app.route("/")
def hello_world():
    name = os.environ.get("NAME", "World")
    return "Hello {}!".format(name)


if __name__ == "__main__":
    app.run(debug=True, host="0.0.0.0", port=int(os.environ.get("PORT", 8080)))

My Google Cloud IAM account roles:

  • Artifact Registry Administrator

  • Artifact Registry Reader

  • Artifact Registry Repository Administrator

  • Artifact Registry Writer

  • Cloud Build Editor

  • Cloud Run Admin

  • Container Registry Service Agent

  • Service Account Admin

  • Service Account User

  • Service Usage Admin

  • Service Usage Consumer

  • Source Repository Administrator

  • Source Repository Reader

  • Source Repository Writer

  • Storage Admin

  • Storage Object Admin

  • Viewer

How can I fix this error? Appreciate if someone can advise. Thank you in advance!

My Car
  • 4,198
  • 5
  • 17
  • 50

1 Answers1

0

This Quickstart explains how to deploy a Python service on Cloud run.

As mentioned here in doc that :

Important: This quickstart assumes that you have owner or editor roles in the project you are using for the quickstart. Otherwise, refer below for the permissions required information.

1: Cloud Run deployment permissions

A user needs the following permissions to deploy new Cloud Run services or revisions: run.services.create and run.services.update on the project level are required. run.services.get is not strictly required, but is recommended in order to read the status of the created service. Typically assigned through the roles/run.admin role.

It can be changed in the project permissions admin page. iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is PROJECT_NUMBER-compute@developer.gserviceaccount.com. The permission is typically assigned through the roles/iam.serviceAccountUser role.

2: Cloud Build permissions

With IAM, every API method in Cloud Build API requires that the identity making the API request has the appropriate permissions to use the resource.

Permissions are granted by setting policies that grant roles to a principal (user, group, or service account). You can grant multiple roles to a principal on the same resource.

3: Artifact Registry permissions

Grant an Identity and Access Management (IAM) permission by granting a role that includes the permission. Use the Artifact Registry roles to control access to your repositories. You can grant permissions at the project or repository level.

Although you can use the basic roles of Owner, Editor, and Viewer to grant access to repositories, using the Artifact Registry roles enables you to apply the security principle of least privilege, so that users and service accounts only have the permissions that are required.

you can refer to this doc and make sure you have followed the mentioned 4 steps to authenticate to Artifact Registry.

If issue still persist,As I can see you already have created a Public Issue tracker, we recommend to contact Google support and raise ticket and provide the Project specific details so that the issue can resolves easily.

Divyani Yadav
  • 1,030
  • 4
  • 9
  • Hi Divyani Yadav, thanks for your reply. I still get the error message when adding permissions. – My Car Sep 22 '22 at 12:45
  • @My Car I have edited my answer can you check is it helpful by following these steps in doc [here](https://cloud.google.com/artifact-registry/docs/docker/authentication#gcloud-helper). – Divyani Yadav Sep 22 '22 at 13:16
  • I created the key file, what should I replace with "KEY-FILE" in the command? – My Car Sep 22 '22 at 13:27
  • replace "Key-file" with json key file that you have created by help of this [doc](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating) . – Divyani Yadav Sep 23 '22 at 07:12
  • What does "replace "Key-file" with json key file" mean, is it to replace "KEY-FILE" with the name of the json key file? – My Car Sep 23 '22 at 07:15
  • @MyCar yes , in the same way – Divyani Yadav Sep 23 '22 at 08:38
  • Error replacing "KEY-FILE" with the name of the json key file: ERROR: (gcloud.auth.activate-service-account) Unable to read file [name-of-the-json-key-file]: [Errno 2] No such file or directory: 'name-of-the-json-key-file' – My Car Sep 23 '22 at 08:52
  • try to follow this [1](https://stackoverflow.com/a/67498627/15774176) or [2](https://stackoverflow.com/a/43047320/15774176) . – Divyani Yadav Sep 23 '22 at 09:17
  • I don't get this error when using way 1. – My Car Sep 23 '22 at 09:24
  • I get the error: `ERROR: (gcloud.run.deploy) User [my-account] does not have permission to access projects instance [project-id] (or it may not exist): Permission 'run.locations.list' denied on resource 'projects/project-id' (or resource may not exist).`. – My Car Sep 23 '22 at 09:32
  • try to see this [1](https://cloud.google.com/run/docs/troubleshooting#deleted-default-service-account) and [2](https://stackoverflow.com/a/62783880/15774176), have you missed service account? – Divyani Yadav Sep 23 '22 at 09:36
  • I solved this problem by adding "Cloud Run Admin" role. – My Car Sep 23 '22 at 09:38
  • But I get another error: `ERROR: (gcloud.run.deploy) The user is forbidden from accessing the bucket [project-id_cloudbuild]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission` – My Car Sep 23 '22 at 09:40
  • How can I fix this error? I can't find a solution for now. – My Car Sep 23 '22 at 09:42
  • see [this](https://stackoverflow.com/q/70886335/15774176) once. – Divyani Yadav Sep 23 '22 at 09:43
  • I get the first error again, `denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource`. – My Car Sep 23 '22 at 09:52
  • let me reproduce this issue once will revert bak to you, try to see the documentation its due to the permission – Divyani Yadav Sep 23 '22 at 09:57
  • Hi Divyani Yadav, is there any progress? – My Car Sep 27 '22 at 05:44
  • @MyCar hey, I reproduced the issue and i am able to deploy the service successfully.have you tried again ?and what error you got recently? – Divyani Yadav Sep 27 '22 at 08:56
  • I try to add some roles to IAM account. I edited and displayed the role of the IAM account 2 hours ago, but the error persists – My Car Sep 27 '22 at 08:59
  • error message is same as mentioned in the question? – Divyani Yadav Sep 27 '22 at 09:00
  • Yes, you are right – My Car Sep 27 '22 at 09:00
  • 1
    sure,let me check IAM roles mentioned in the questions once. – Divyani Yadav Sep 27 '22 at 09:02