gcloud build. <service account> does not have storage.objects.get access to the Google Cloud Storage object

Question

When I run this in cmd line:

gcloud builds submit --tag "gcr.io/<project id>/<cloudrun app name>"

I get this error:

ERROR: (gcloud.builds.submit) HTTPError 403: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>[service accoun name]@[project-id].iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>

Here are the roles I've assigned to the Service account (yes, its overkill, just trying to get it to work):

I've tried these solutions, but they haven't worked:

• service account does not have storage.objects.get access for Google Cloud Storage
• (gcloud.app.deploy) HTTPError 403: <account> does not have storage.objects.get access to the Google Cloud Storage object
• What scopes / roles are required for a service account to be able to submit container builder jobs?

What am I doing wrong?

Answer 1

Have you tried creating a new service with a prebuilt demo container from the web console like described here?

We got the same error ("... does not have storage.objects.get access ...") initially, but it worked once we created a first demo service using the Google Cloud Console.

Answer 2

Hello I had the same issue. Solved it by adding the role "Viewer" to my service account as explained here : https://github.com/google-github-actions/setup-gcloud/issues/105

Answer 3

Could you please confirm that you are using the default service account to trigger your build? If you are using a different service account to trigger the build, use the similar role which your default service account has as well.

Make sure you have the following roles for the service account:

1. Cloud Build Service account
2. Service Account User
3. Cloud Run Admin

You can change the permissions from the Cloud Build Settings page.

Then try running your builds again.