-1

EDIT: The so called duplicate question was way off since 1. I could push another image and 2. I could not push a build image. Finally, point #3 is the solution was totally different and ONLY related to pushing build images via cloudbuild. ie. I beg to differ that this question WAS different.

Running into some more google cloud security stuff. We currently deploy to cloud run like so

docker build . --tag gcr.io/myproject/authservice
docker push gcr.io/myproject/authservice

gcloud run deploy staging-admin --region us-west1 --image gcr.io/myproject/authservice --platform managed

I did the quick start for google builds but I am getting permission errors. I did this command

https://cloud.google.com/cloud-build/docs/quickstart-build

The command I ran was

gcloud builds submit --tag gcr.io/myproject/quickstart-image

This is all the same project but submitting builds gets this same error over and over and over(I am not sure why it doesn't just exit on first error.

The push refers to repository [gcr.io/myproject/quickstart-image]
e3831abe9997: Preparing
60664c29ef5a: Preparing
denied: Token exchange failed for project 'myproject'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

Any ideas how to fix so I can use google cloud build?

Dean Hiller
  • 17,183
  • 19
  • 103
  • 176
  • Does this answer your question? [Can't push image to google container registry - Caller does not have permission 'storage.buckets.get'](https://stackoverflow.com/questions/51873072/cant-push-image-to-google-container-registry-caller-does-not-have-permission) – Martin Zeitler Jun 12 '20 at 20:19

2 Answers2

0

Complementing the previous answer, as is mentioned in this document to perform actions in Container Registry the role "sotrage admin" is necessary

Do you have "roles/storage.admin" role? If not, add it and try.

The Could build service account has this format [project_number]@cloudbuild.gserviceaccount.com please add the role "roles/storage.admin" by following this steps

  1. Open the Cloud IAM page
  2. Select your Cloud project.
  3. In the permissions table, locate the row with the email address ending with @cloudbuild.gserviceaccount.com. This is your Cloud Build service account.
  4. Click on the pencil icon.
  5. Select the role you wish to grant to the Cloud Build service account.
  6. Click Save.
Jan Hernandez
  • 3,294
  • 2
  • 8
  • 15
  • yup, been there, done that. See my answer in that the permission issue was a total darn red herring. I found some obscure document on google's github and following those permission changes, it all worked. – Dean Hiller Jun 15 '20 at 14:33
0

BE WARNED: I read the duplicate question post but in my case

  1. I can push items
  2. only the build one is failing AND the solution I found is different than any of the other question answers

This was a VERY weird issue. The storage permission MUST be a red herring because these permissions fixed the issue

enter image description here

I found some documentation somewhere that I can't seem to find on a google github repo about adding these permissions AND a document on the TWO @cloudbuild.gserviceaccount.com accouts AND you must add the permissions to the correct one!!!! One is owned by google and you should not touch.

Dean Hiller
  • 17,183
  • 19
  • 103
  • 176