Reputation: 2128
Correct permissions for Google Cloud Build to deploy a Cloudfunction in a separate project
We have separate GCP projects for "build" and "prod" environments. I would like to use Cloud Build for the "build" project to deploy a Cloud Function in the "prod" project, following the documentation.
Notably, I added the "Cloud Functions Developer" role to the build service account in the build project and the "IAM Service Account User" role to the PROJECT_ID@appspot.gserviceaccount.com account as noted in the docs and in this question, when running a build, I get:
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
A simplified example of my cloudbuild.yaml is
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['source', 'repos', 'clone', 'a_mirrored_repo', '--project=build-xxxx']
- name: 'gcr.io/cloud-builders/gcloud'
args: ['functions', 'deploy', 'some_function', '--trigger-http', '--runtime', 'python37', '--project', 'prod-yyyy']
I am able to deploy my fucntion to prod using the gsutil command line utility from my laptop, and I am able to use my cloudbuild.yaml to deploy this function to the build project. But I'm unsure what roles I need to assign to what accounts to enable the build project to deploy the cloudfunction to the prod project.
Upvotes: 4
Views: 3408
Answers (1)
Reputation: 1575
If you want to deploy the function in the prod project then the Cloud Build service account of the build project must be added as a "Cloud Functions Developer" in the prod project. If I understand your description correctly, then you've set it in the build project.
Specifically: in the GCP console, in the prod project, under IAM > members add a new member named [build-project-id]@cloudbuild.gserviceaccount.com and add the role "Cloud Functions Developer" to this member. At this point attempting to deploy may result in an error message:
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[Missing necessary permission iam.serviceAccounts.actAs for prod-xxxx@appspot.gserviceaccount.com on project prod-xxxx.
Please grant prod-xxxx@appspot.gserviceaccount.com the roles/iam.serviceAccountUser role.
You can do that by running 'gcloud projects add-iam-policy-binding prod-xxxx --member=prod-xxxx@appspot.gserviceaccount.com --role=roles/iam.serviceAccountUser'
The command suggested in the error message is slightly incorrect. The correct syntax is:
gcloud projects add-iam-policy-binding prod-xxxx --member='serviceAccount:[build-project-number]@cloudbuild.gserviceaccount.com' --role='roles/iam.serviceAccountUser'
Upvotes: 2
Related Questions
- ERROR: (gcloud.beta.functions.deploy) ... message=[The caller does not have permission]
- Unable to submit build to Cloud Build due to permissions error
- Proper permission for Cloud Build to deploy to Firebase?
- service account permission issue while deploying cloud function
- What roles do my Cloud Build service account need to deploy an http triggered unauthenticated Cloud Function?
- Google cloud run build permission denied
- Google Cloud Build - View logs permissions
- Deploying Google Cloud function from a Google Build
- GCP Cloud Build fails with permissions error even though correct role is granted
- Whats permissions are required to trigger a cloud build?