Reputation: 1177
Cloud Run Fails on Step-2 Deploy with Permissions Error
I am having a heck of a time getting Cloud Run to work correctly. I am creating a new service from the GCP console with a Cloud Build trigger to my Github repo. Under the security tab, I am setting the service account to one of my service accounts which has the following permissions:
- Cloud Build Service Account
- Cloud Run Admin
- Cloud Run Service Agent
- Cloud Scheduler Service Agent
- Service Account User
When I create the service, it always ends with the following error:
Step #2 - "Deploy": ERROR: (gcloud.run.services.update) PERMISSION_DENIED: Permission 'run.services.get' denied on resource 'namespaces/project/services/cloud_run_service_name' (or resource may not exist).
I can't figure out why I am getting this error. The service account has all the permissions listed in the Cloud Run documentation. Any ideas?
Upvotes: 1
Views: 1544
Answers (3)
Reputation: 1
Firstly, you need to set the default cloudbuild account up (number@cloudbuild.gservicesaccount.com) with the proper permissions:
- Cloud Build Service Account
- Service Account User
- Cloud Run Developer
For your adhoc github service account, my proposal of minimum set of privileges is:
- Container Registry Service Agent
- Cloud Build Service Agent
- Service Account User
- Storage Object Creator
- Storage Object Viewer
Finally, although you can do everything from the Cloud Build service, the same can be done without triggers, that is, using github workflows and cloudbuild.yml files.
Upvotes: 0
Reputation: 1177
I found out what the problem was. I was assuming that I should setup everything from Cloud Run, including my Cloud Build trigger since the Cloud Run interface offers that capability. Setting up the Cloud Build Trigger from Cloud Run doesn't take into account the service account that should be controlling the trigger.
The solution was to do everything from Cloud Build where I am able to specify the service account for the trigger and use a cloudbuild.yaml to control deploying to a Cloud Run service.
Upvotes: 0
Reputation: 1246
Since you are using Cloud Build to deploy the Cloud Run service, the Cloud Build service account must have the appropriate permissions over Cloud Run. You are only specifying that you are adding the permission to "one of my service accounts", but it must be the one used by Cloud Build. The error that you get indicates that the Cloud Build service account does not have the right permissions so you must have set them for the wrong one.
You should add the role Cloud Run Admin (roles/run.admin) to the service account used by Cloud Build.
Upvotes: 0
Related Questions
- google cloud run Failed to trigger build: Permission 'cloudbuild.builds.create' denied
- Permission error when trying to deploy to Google Cloud Run
- Cloud Run - "./mvnw: permission denied" error on deployment
- Running gcloud run deploy from inside Cloud Build results in error
- Google Cloud run deploy via command line failed
- Google cloud run build permission denied
- Google Cloud Run Deploy error: Missing necessary permission error
- Cannot deploy as a service account to google cloud run
- Cloud build permission denied when deploy to cloud run with "--set-sql-instance" argument
- unable to deploy to cloudrun through cloudbuild