stackoom
  简体   繁体   中英

ERROR: (gcloud.builds.submit) Error 403: <SERVICE ACCOUNT> does not have storage.objects.get access to the Google Cloud Storage object

 原文  2021-10-31 19:00:50       google-cloud-platform/ google-cloud-storage/ service-accounts/ google-cloud-build/ google-cloud-shell

Question

I am trying to build a docker image from the Pub/Sub tutorial on Google (link here ). I am running this command: gcloud builds submit --tag gcr.io/project_id/pubsub but for some reason I get the error mentioned in the title: ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: <SERVICE ACCOUNT> does not have storage.objects.get access to the Google Cloud Storage object., forbidden . I gave the service account the roles/storage.admin role and that didn't work. I even went as far as made the service account an owner and I still got the same error.

1 answers

solution1
 0  2021-10-31 20:26:06

I figured it out. When using Cloud Build, GCP uses an entirely separate service account for this. It looks something like: <random-id>@cloudbuild.gserviceaccount.com . Add the Cloud Build Service Account role and the Storage Admin role to this service account fixed the problem.

solution2
 0  2022-01-14 05:55:00

In my case, after running the almost similar command to yours:

gcloud builds submit --tag gcr.io/my_project_id/hello_world

I was asked whether or not enabling and retrying "API [cloudbuild.googleapis.com]" then I put and ran "y" :

Creating temporary tarball archive of 2 file(s) totalling 478 bytes before compression. Uploading tarball of [.] to [gs://my_project_id_cloudbuild/source/1642137449.192753-983fc894e2f24fa086f55fa3b56d58aa.tgz] API [cloudbuild.googleapis.com] not enabled on project [354778943856]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y

Then, I also got the almost same error as yours:

Enabling service [cloudbuild.googleapis.com] on project [354778943856]... Operation "operations/acf.p2-354778943856-e99f6fd8-78ec-4cbd-94a2-07e0697d5455" finished successfully. ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: 354778943856@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden

But a few minutes later, I ran the command again:

gcloud builds submit --tag gcr.io/my_project_id/hello_world

Then, it was successful:

ID: f4478e51-557b-407d-9c30-c379ef707258 CREATE_TIME: 2022-01-14T05:22:29+00:00 DURATION: 19S SOURCE: gs://my_project_id_cloudbuild/source/1642137748.745566-d75b61b6c6bc4acb9aba900650f201b2.tgz IMAGES: gcr.io/my_project_id/hello_world(+1 more) STATUS: SUCCESS

In my case, after the error, waiting a few minutes then running the command is fine but I don't know what's going on to your case.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question service account does not have storage.objects.get access for Google Cloud Storage How to handle Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object StorageException: Anonymous caller does not have storage.objects.get access My service account which was given storage permissions does not have storage.objects.list access to the Google Cloud Storage bucket public GC storage access fails with Anonymous caller does not have storage.objects.get access Google Cloud Storage access via service account error 403: Your client does not have permission to get URL in python google cloud module Preventing Google Cloud Storage account owner visibility into user bucket objects Google Cloud Storage Transfer Service fails with PERMISSION_DENIED error How to access to a Google Cloud Storage bucket from a Cloud Run service without using a local Service Account key file?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM