创建新计算实例时 GCP 中的权限错误，但服务帐户确实具有权限

Question

I am running a cloudbuild.yaml job in Google Cloud Platform that builds, pushes and tags a Docker Image and then it creates a Compute Engine instance to run that image via gcr.io/cloud-builders/gcloud.create-with-container . I also specify a service account to be used in this step:

- id: "Create Compute Engine instance"
  name: gcr.io/cloud-builders/gcloud
  args: [
    'compute',
    'instances',
    'create-with-container',
    '${INSTANCE_NAME}',
    '--container-image',
    'eu.gcr.io/${PROJECT_ID}/${PROJECT_ID}-${REPO_NAME}',
    '--zone',
    '${ZONE}',
    '--service-account',
    '${SERVICE_ACCOUNT},
    '--machine-type',
    'n2-standard-4'
    ]

However I am getting an error:

Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.compute.instances.create-with-container) Could not fetch resource:
 - Required 'compute.instances.create' permission for 'projects/...'

The service account in use does have the permissions for that as it has been assigned "role": "roles/compute.instanceAdmin.v1" , which includes compute.instances.* as per documentation .

Anyone has experienced this or a similar situation and can give a hint on how to proceed? Am I missing something obvious? I have tried using other service accounts, including the project default compute account and get the same error. One thing to note is I do not specify a service account for Docker steps (gcr.io/cloud-builders/docker).

Answer 1

Make sure that you are not misinterpreting service accounts. There is a special service account used by Cloud Build. There is also the service account to "be used" by the VM/instance you are creating.

The "compute.instances.create" permission should be granted to the special Cloud Build account, not to the account for the instance.

The Cloud Build account has a name like 123123123@cloudbuild.gserviceaccount.com.

In the Cloud Console go to Cloud Build -> Settings -> Service Accounts and check if correct permissions are granted.