Unable to deploy container images on Google Compute Engine

Question

I'm trying to deploy my container image on Compute Engine using cloudbuild.yaml but getting error. Below is my cloudbuild.yaml file content:

# gis-account-manager -> Project ID on GCP
steps:
# Build the Docker image.
- name: gcr.io/cloud-builders/docker
  args: ['build', '-t', 'gcr.io/gis-account-manager/ams', '-f', 'Dockerfile', '.']
  
# Push it to GCR.
- name: gcr.io/cloud-builders/docker
  args: ['push', 'gcr.io/gis-account-manager/ams']

# Deploy to Prod env (THIS STEP IS FAILING)
 - name: gcr.io/cloud-builders/gcloud
  args: [ 'compute', 'instances', 'update-container', 'instance-2-production' , '--container-image', 'gcr.io/gis-account-manager/ams:latest']
  
# Set the Docker image in Cloud Build
images: ['gcr.io/gis-account-manager/ams']

# Build timeout
timeout: '3600s'

Error:

Starting Step #2

Step #2: Already have image (with digest): gcr.io/cloud-builders/gcloud

Step #2: ERROR: (gcloud.compute.instances.update-container) Underspecified resource [instance-2-production]. Specify the [--zone] flag.

If I run the same command from Cloud SDK Sheel it works as expected.

PS: I've also tried by providing ZONE Flag.

Answer 1

I've solved this issue by authenticating via service account (First need to generate keys for Compute Engine Service Account).

Updated cloudbuild.yaml file:

# Deploy to GOOGLE COMPUTE ENGINE Prod env
- name: gcr.io/cloud-builders/gcloud
  args: [ 'auth', 'activate-service-account', '123456789-compute@developer.gserviceaccount.com', '--key-file=PATH_TO_FILE', '--project=${_PROJECT_ID}']
- name: gcr.io/cloud-builders/gcloud
  args: ['compute', 'instances', 'update-container', '${_VM_INSTANCE}' , '--container-image=gcr.io/${_PROJECT_ID}/ams:latest', '--zone=us-central1-a']

Answer 2

Cloud Build does not have enough permissions to execute the operation, hence you are receiving an error when operating on Cloud Build, but not when executing the same operation in gcloud command-line tool, which works differently.

I granted these Cloud Build Service Account and Cloud Build Service Agent with the Compute Admin role:

• [REDACTED]@cloudbuild.gserviceaccount.com`
• service-[REDACTED]@gcp-sa-cloudbuild.iam.gserviceaccount.com`

My cloudbuild.yaml looks identical to what you should have now:

    steps:
    - name: gcr.io/cloud-builders/gcloud
      args: [ 'config', 'set', 'compute/zone', 'YOUR_ZONE']
    - name: gcr.io/cloud-builders/gcloud
      args: [ 'compute', 'instances', 'update-container', '[YOUR_INSTANCE_NAME]' , '--container-image', 'gcr.io/gis-account-manager/ams:latest']

where [YOUR_ZONE] is your configured zone and [YOUR_INSTANCE_NAME] is the name of your instance.

I would recommend that you read on this Documentation for more information about Cloud Build service accounts permissions.

Answer 3

You need to specify your zone in gcloud compute command:

# Deploy to Prod env (THIS STEP IS FAILING)
 - name: gcr.io/cloud-builders/gcloud
  args: [ 'config', 'set', 'compute/zone', 'us-central1-a']
 - name: gcr.io/cloud-builders/gcloud
  args: [ 'compute', 'instances', 'update-container', 'instance-2-production' , '--container-image', 'gcr.io/gis-account-manager/ams:latest']

You need to to change asia-east1 by zone from this list. And since you are updating the container then the zone may be already specified.

You can write the command: gcloud compute zones list to list all available zones