stackoom
  简体   繁体   中英

Cloud build permission denied when deploy to cloud run with “--set-sql-instance” argument

 原文  2019-11-16 18:22:30       google-cloud-platform/ google-cloud-sql/ google-cloud-build/ google-cloud-run

Question

I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs. I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" as one of the args, it throws error on cloud build as follows:

Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1

Following is my cloudbuild.yml

steps:
  - name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
      - --cache=true
  - name: 'gcr.io/cloud-builders/gcloud'
    args: [
      "beta", "run",
      "deploy", "${_SERVICE_NAME}-${_PROFILE}",
      "--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
      "--region", "${_REGION}",
      "--platform", "managed",
      "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
      "--allow-unauthenticated",
      "--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
    ]
images:
  - gcr.io/${PROJECT_ID}/${_IMAGE_NAME}

and I already set roles/permission for service account as follow:

  • {PROJECT_ID}-compute@developer.gserviceaccount.com : Editor, Cloud Sql Client <-- Default SA
  • <Cloud run service agent> : Cloud Run Service Agent, Cloud SQL Client
  • <Cloud Build SA> : Cloud Build SA, Cloud Run Admin

My Cloud Run service also use default service account as its SA

2 answers

solution1
 5 ACCPTED  2019-11-17 04:28:11

Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser role, allowing it to impersonate the Cloud Run runtime service account during the build.

gcloud iam service-accounts add-iam-policy-binding
  PROJECT_NUMBER-compute@developer.gserviceaccount.com
  --member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com"
  --role="roles/iam.serviceAccountUser"

See Cloud Run deployment permissions for more info.

solution2
 0  2020-02-15 15:27:42

I am using a service account to deploy a cloud run function with sql connections. I found that the service account needs the following permissions:

  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google cloud run build permission denied How to use cloud build to deploy cloud run with cloud sql on google cloud? Permission error when trying to deploy to Google Cloud Run How to increase the cloud build timeout when using ```gcloud run deploy```? Access denied for service account (permission issue?) when importing a csv from cloud storage to cloud sql Permission denied on Cloud KMS key when using cloud storage Getting error when trying to execute cloud build to deploy application to cloud run GCP Quickstart: Build and Deploy (Cloud Run Tutorial) Builder Permission denied. Unable to deploy on Google cloud google cloud gcloud app deploy gives me permission denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM