Reputation: 339
GCP - Cloud Run : "Error: The user is forbidden from accessing the bucket"
I am writing a GitHub Action to deploy my application to GCP's "Cloud Run" service.
name: Deploy to production
on:
push:
branches:
- master
env:
PROJECT_ID: XXX
SERVICE_NAME: XXX
RUN_REGION: XXX
PACKAGE_VERSION : XXX
permissions:
contents: read
id-token: write
jobs:
deployment-job:
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v2
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
workload_identity_provider: XXX
service_account: XXX
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@v0
with:
service: ${{ env.SERVICE_NAME }}
source: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE_NAME }}:${{ env.PACKAGE_VERSION }} # equivalent to "gcloud builds submit ..."
region: ${{ env.RUN_REGION }}
tag: ${{ env.PACKAGE_VERSION }}
I run into this error :
ERROR: (gcloud.beta.run.deploy) The user is forbidden from accessing the bucket [XXX]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission
I tried to add this permission to my service account but I am still running on the same error :
gcloud projects add-iam-policy-binding XXX --member=serviceAccount:XXX --role=roles/serviceusage.serviceUsageAdmin
I set up the Workload Identity Federation from this tutorial.
Upvotes: 4
Views: 4614
Answers (3)
Reputation: 7852
Adding the role roles/storage.admin and roles/cloudbuild.builds.editor to my service account (as mentined in this answer & on this Google page) solved my problem.
This is how to add these permissions:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/storage.admin"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/cloudbuild.builds.editor"
More about gcloud projects add-iam-policy-binding.
Trying to add the permission serviceusage.services.use to the role my service account already had did not solve my problem, despite what the error message says.
Upvotes: 1
Reputation: 1
I followed the tutorial you mentioned too. And I did not use Cloud Build API on that project before. So I enabled it and Cloud Build created Service Account and Cloud Storage Bucket on my behalf upon activating an API.
What caught my eye was that bucket it created had this ACL (fine-grained) access model that makes things complicated. I disabled this thing and momentarily Github Actions logs started to fliw and became green.
Maybe your project in GCP also freshely created like mine was. Hope it helps someone.
Upvotes: 0
Reputation: 667
Grant Storage Admin role to the service account instead of Storage Object Admin to allow your Github Action to deploy using the workflow template.
I had this error when setting up Workload Identity to a Github Action. The error message is weird but the issue is in the workflow template. The template instructs you to grant Storage Objects Admin, but from the required permissions page also linked in the template, it says we need to grant Storage Admin.
You may need to also grant the Service Usage Consumer role; I had it already so I'm not sure if it is required.
Upvotes: 7
Related Questions
- Permissions error using deploy-cloud-functions GitHub Action
- GitHub Action to GCP - Unable to acquire impersonated credentials: No access token or invalid expiration in response
- Github Actions Failing for setup-gcloud
- Cloud Build: The user is forbidden from accessing the bucket
- Access Denied to Bucket while creating a GCP Load Balancer
- GCP IAM Permission - Service Account not able to have permission
- Access problem with service account in gcloud from github actions
- Bucket query permission denied in GCP despite service-account having the Owner role
- cloud run deploy fails with permission error
- GCP cloud storage: 403-Forbidden while executing `Storage.BucketAccessControls.List` request