Reputation: 2128
We have separate GCP projects for "build" and "prod" environments. I would like to use Cloud Build for the "build" project to deploy a Cloud Function in the "prod" project, following the documentation.
Notably, I added the "Cloud Functions Developer" role to the build service account in the build project and the "IAM Service Account User" role to the [email protected] account as noted in the docs and in this question, when running a build, I get:
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
A simplified example of my cloudbuild.yaml is
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['source', 'repos', 'clone', 'a_mirrored_repo', '--project=build-xxxx']
- name: 'gcr.io/cloud-builders/gcloud'
args: ['functions', 'deploy', 'some_function', '--trigger-http', '--runtime', 'python37', '--project', 'prod-yyyy']
I am able to deploy my fucntion to prod using the gsutil command line utility from my laptop, and I am able to use my cloudbuild.yaml to deploy this function to the build project. But I'm unsure what roles I need to assign to what accounts to enable the build project to deploy the cloudfunction to the prod project.
Upvotes: 4
Views: 3408
Reputation: 1575
If you want to deploy the function in the prod project then the Cloud Build service account of the build project must be added as a "Cloud Functions Developer" in the prod project. If I understand your description correctly, then you've set it in the build project.
Specifically: in the GCP console, in the prod project, under IAM > members add a new member named [build-project-id]@cloudbuild.gserviceaccount.com
and add the role "Cloud Functions Developer" to this member. At this point attempting to deploy may result in an error message:
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[Missing necessary permission iam.serviceAccounts.actAs for [email protected] on project prod-xxxx.
Please grant [email protected] the roles/iam.serviceAccountUser role.
You can do that by running 'gcloud projects add-iam-policy-binding prod-xxxx [email protected] --role=roles/iam.serviceAccountUser'
The command suggested in the error message is slightly incorrect. The correct syntax is:
gcloud projects add-iam-policy-binding prod-xxxx --member='serviceAccount:[build-project-number]@cloudbuild.gserviceaccount.com' --role='roles/iam.serviceAccountUser'
Upvotes: 2