Error: denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource

Question

I am new in Python. I am deploying Python code to Google Cloud Run and I am getting an error.

Here is the terminal:

Deploying from source. To deploy a container use [--image]. See https://cloud.google.com/run/docs/deploying-source-code for more details.
Source code location (/Users/name/......):  
Next time, use `gcloud run deploy --source .` to deploy the current directory.

Service name (google-cloud-run):  
Please specify a region:
 [1] asia-east1
 ......
Please enter your numeric choice:  27

To make this the default region, run `gcloud config set run/region us-central1`.

This command is equivalent to running `gcloud builds submit --tag [IMAGE] /Users/name/......` and `gcloud run deploy google-cloud-run --image [IMAGE]`

Allow unauthenticated invocations to [google-cloud-run] (y/N)?  y

Building using Dockerfile and deploying container to Cloud Run service [google-cloud-run] in project [project-id] region [us-central1]
X Building and deploying new service... Building Container.                                                                                    
  ✓ Uploading sources...                                                                                                                       
  - Building Container... Logs are available at [https://console.cloud.google.com/cloud-build/builds/bdaf9cea-3e87-46e4-81f8-33b2675808f8?proje
  ct=1044629281917].                                                                                                                           
  . Creating Revision...                                                                                                                       
  . Routing traffic...                                                                                                                         
  . Setting IAM Policy...                                                                                                                      
Deployment failed                                                                                                                              
ERROR: (gcloud.run.deploy) Build failed; check build logs for details

It looks like it fails in the build container.

When I check my logs, the error is: denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-central1/repositories/cloud-run-source-deploy" (or it may not exist).

My code:

import os

from flask import Flask

app = Flask(__name__)


@app.route("/")
def hello_world():
    name = os.environ.get("NAME", "World")
    return "Hello {}!".format(name)


if __name__ == "__main__":
    app.run(debug=True, host="0.0.0.0", port=int(os.environ.get("PORT", 8080)))

My Google Cloud IAM account roles:

• Artifact Registry Administrator

• Artifact Registry Reader

• Artifact Registry Repository Administrator

• Artifact Registry Writer

• Cloud Build Editor

• Cloud Run Admin

• Container Registry Service Agent

• Service Account Admin

• Service Account User

• Service Usage Admin

• Service Usage Consumer

• Source Repository Administrator

• Source Repository Reader

• Source Repository Writer

• Storage Admin

• Storage Object Admin

• Viewer

How can I fix this error? Appreciate if someone can advise. Thank you in advance!

Answer 1

This Quickstart explains how to deploy a Python service on Cloud run.

As mentioned here in doc that :

Important: This quickstart assumes that you have owner or editor roles in the project you are using for the quickstart. Otherwise, refer below for the permissions required information.

1: Cloud Run deployment permissions

A user needs the following permissions to deploy new Cloud Run services or revisions: run.services.create and run.services.update on the project level are required. run.services.get is not strictly required, but is recommended in order to read the status of the created service. Typically assigned through the roles/run.admin role.

It can be changed in the project permissions admin page. iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is PROJECT_NUMBER-compute@developer.gserviceaccount.com. The permission is typically assigned through the roles/iam.serviceAccountUser role.

2: Cloud Build permissions

With IAM, every API method in Cloud Build API requires that the identity making the API request has the appropriate permissions to use the resource.

Permissions are granted by setting policies that grant roles to a principal (user, group, or service account). You can grant multiple roles to a principal on the same resource.

3: Artifact Registry permissions

Grant an Identity and Access Management (IAM) permission by granting a role that includes the permission. Use the Artifact Registry roles to control access to your repositories. You can grant permissions at the project or repository level.

Although you can use the basic roles of Owner, Editor, and Viewer to grant access to repositories, using the Artifact Registry roles enables you to apply the security principle of least privilege, so that users and service accounts only have the permissions that are required.

you can refer to this doc and make sure you have followed the mentioned 4 steps to authenticate to Artifact Registry.

If issue still persist,As I can see you already have created a Public Issue tracker, we recommend to contact Google support and raise ticket and provide the Project specific details so that the issue can resolves easily.