ERROR: (gcloud.beta.functions.deploy) ... message=[The caller does not have permission]

Question

I am trying to deploy code from this repo:

https://github.com/anishkny/puppeteer-on-cloud-functions

in Google Cloud Build. My cloudbuild.yaml file contents are:

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']

I have given the following roles to my Cloud Build Service account (****@cloudbuild.gserviceaccount.com):

Cloud Build Service Account
Cloud Functions Developer

Yet, in my Cloud Build log I see the following error:

starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"

FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][    0.0 B/  835.0 B]                                                
/ [1 files][  835.0 B/  835.0 B]                                                
Operation completed over 1 objects/835.0 B.                                      
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1

What am I missing?

How did you assign the role to the service account? I wrote a post that does something similar and I call tell you that something of the following form should provide the correct roles: `NUM=$(gcloud projects describe $PROJECT \ --format='value(projectNumber)') gcloud projects add-iam-policy-binding ${PROJECT} \ --member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \ --role=roles/cloudfunctions.developer` (https://medium.com/google-cloud/triggering-cloud-functions-deployments-97691f9b5416) — DazWilkin, Aug 17 '18 at 22:45
@DazWilkin I assigned roles from the GCP Console IAM page (https://console.cloud.google.com/iam-admin/iam). So what roles show up for your **@cloudbuild.gserviceaccount.com service account in the GCP Console? — anishkny, Aug 18 '18 at 00:29

score 16 · Answer 1 · answered Aug 23 '18 at 21:23

16

It would appear that the permissions changed when (perhaps) Cloud Functions went GA. Another customer raised this issue today and I recalled your question.

The Cloud Build robot (${NUM}@cloudbuild.gserviceaccount.com) additionally needs to be a serviceAccountUser of the ${PROJECT-ID}@appspot.gserviceaccount.com account:

NB While the Cloud Build robot local part is the project number (${NUM}), the appspot robot local part is the project ID (${PROJECT})

Please try:

PROJECT=[[YOUR-PROJECT-ID]]

NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')

gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}

Let me know!

answered Aug 23 '18 at 21:23

DazWilkin

12,847
5
24
48

Aha! https://cloud.google.com/functions/docs/reference/iam/roles#adding_the_iam_service_account_user_role_to_the_runtime_service_account – DazWilkin Aug 23 '18 at 21:55
This was it! Coming from the AWS world, IMO this is way too much configuration, but it is what it is. Here's a more recent link https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration – Govind Rai Jul 18 '19 at 22:55
1

Great! Yes, this configuration is particularly gnarly because of needing to give Cloud Build's service account permission to use another service account. It is a consequence of granularity. Pleased to hear you got it working. – DazWilkin Jul 18 '19 at 23:28

Mithrill · Answer 2 · 2018-08-29T03:57:19.830

I struggled with this too after reading quite a bit of documentation. A combination of the above answers got me on the right track. Basically, something like the following is needed:

PROJECT=[PROJECT-NAME]

NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')

gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT}@[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
    --member='serviceAccount:service-${NUM}@gcf-admin-robot.iam.gserviceaccount.com' \
    --role='roles/iam.serviceAccountUser'

Also, I added the "Cloud Functions Developer" role to my @cloudbuild.gserviceaccount.com account via the IAM Console.

I got this working without the second `gcloud iam service-accounts add-iam-policy-binding...` command. — Tan Duong, May 14 '19 at 05:38

score 8 · Accepted Answer · answered Aug 17 '18 at 22:32

According to Cloud Build documentation, for Cloud Functions you have to grant the "Project Editor" role to your service account.

But, Cloud Functions documentation states that alternatively to using the Project Editor role, you can use "the Cloud Functions Developer role [but you have to] ensure that you have granted the Service Account User role". Regarding Service Accounts, it indicates to have "the CloudFunctions.ServiceAgent role on your project" and to "have permissions for trigger sources, such as Pub/Sub or the Cloud Storage bucket triggering your function".

Due to those considerations, my understanding is that the documentation omitted to specify all the roles your service account would need and went directly to indicate to grant the Project Editor role.

Thanks. Adding Role="Project > Editor" seems to fix it. But that seems like too permissive a role no? I would think "Cloud Functions Developer" (+ CB Service Account) should be enough. Oh well... Thanks anyways! — anishkny, Aug 18 '18 at 00:36

score 1 · Answer 4 · answered Sep 20 '20 at 11:53

1

You have to update Service Account permissions on Cloud Build settings page. Here is instructions https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#fully-managed

You just have to set the status of the Cloud Run Admin role to ENABLED on that page:

answered Sep 20 '20 at 11:53

Artem Kashin

83
2
7

This solved it for me! Thank you! – Lle.4 May 03 '21 at 21:04

score 0 · Answer 5 · answered Aug 10 '20 at 09:45

start your cloud build with auth

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['auth', 'activate-service-account', 'xoxox@xoxo-dev.iam.gserviceaccount.com', '--key-file=account.json', '--project=rabbito-dev']

and then simply your code deployment on cloud function

- name: 'gcr.io/cloud-builders/gcloud'
  args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']

ERROR: (gcloud.beta.functions.deploy) ... message=[The caller does not have permission]

5 Answers5

Linked

Related