Reputation: 33
Permission error in GCP when creating a new compute instance but service account does have permissions
I am running a cloudbuild.yaml job in Google Cloud Platform that builds, pushes and tags a Docker Image and then it creates a Compute Engine instance to run that image via gcr.io/cloud-builders/gcloud.create-with-container. I also specify a service account to be used in this step:
- id: "Create Compute Engine instance"
name: gcr.io/cloud-builders/gcloud
args: [
'compute',
'instances',
'create-with-container',
'${INSTANCE_NAME}',
'--container-image',
'eu.gcr.io/${PROJECT_ID}/${PROJECT_ID}-${REPO_NAME}',
'--zone',
'${ZONE}',
'--service-account',
'${SERVICE_ACCOUNT},
'--machine-type',
'n2-standard-4'
]
However I am getting an error:
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.compute.instances.create-with-container) Could not fetch resource:
- Required 'compute.instances.create' permission for 'projects/...'
The service account in use does have the permissions for that as it has been assigned "role": "roles/compute.instanceAdmin.v1", which includes compute.instances.* as per documentation.
Anyone has experienced this or a similar situation and can give a hint on how to proceed? Am I missing something obvious? I have tried using other service accounts, including the project default compute account and get the same error. One thing to note is I do not specify a service account for Docker steps (gcr.io/cloud-builders/docker).
Upvotes: 2
Views: 1175
Answers (1)
Reputation: 171
Make sure that you are not misinterpreting service accounts. There is a special service account used by Cloud Build. There is also the service account to "be used" by the VM/instance you are creating.
The "compute.instances.create" permission should be granted to the special Cloud Build account, not to the account for the instance.
The Cloud Build account has a name like [email protected].
In the Cloud Console go to Cloud Build -> Settings -> Service Accounts and check if correct permissions are granted.
Upvotes: 4
Related Questions
- ERROR: (gcloud.container.clusters.create) ResponseError: code=400, message=The user does not have access to service account "default"
- GCP IAM Permission - Service Account not able to have permission
- Permission denied when creating GCP Service Account Key
- Why cloud build saying I am missing Required 'compute.instances.create' permission for my project?
- GCP SERVICE_ACCOUNT_ACCESS_DENIED when trying to deploy instance with deployment manager
- Cloud build service account permission to build
- GCP Cloud Build fails with permissions error even though correct role is granted
- Permissions required to add a service account to an instance and grant access scopes
- How to give permission for an IAM service account to run a docker container within a GCP VM?
- Service Account throws an insufficient permission error even it has 'owner' privileges