6

I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs. I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" as one of the args, it throws error on cloud build as follows:

Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1

Following is my cloudbuild.yml

steps:
  - name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
      - --cache=true
  - name: 'gcr.io/cloud-builders/gcloud'
    args: [
      "beta", "run",
      "deploy", "${_SERVICE_NAME}-${_PROFILE}",
      "--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
      "--region", "${_REGION}",
      "--platform", "managed",
      "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
      "--allow-unauthenticated",
      "--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
    ]
images:
  - gcr.io/${PROJECT_ID}/${_IMAGE_NAME}

and I already set roles/permission for service account as follow:

  • {PROJECT_ID}[email protected] : Editor, Cloud Sql Client <-- Default SA
  • <Cloud run service agent> : Cloud Run Service Agent, Cloud SQL Client
  • <Cloud Build SA> : Cloud Build SA, Cloud Run Admin

My Cloud Run service also use default service account as its SA

Improve this question
10
  • Is your command work if you run it manually? Commented Nov 16, 2019 at 19:32
  • @guillaumeblaquiere i'm not sure about locally but using cloud run console page to deploy, it works Commented Nov 17, 2019 at 1:38
  • @guillaumeblaquiere updated: I can deploy it locally and manually from cloud run console too Commented Nov 17, 2019 at 1:54
  • @JohnHanley 1) what cloud sql permission should I grant ? (I tried Cloud SQL Admin and it still doesn't work) 2) Just to make sure, the default cloud run SA has only Cloud Run Service Agent role right ? Commented Nov 17, 2019 at 1:55
  • 1) You need the permission cloudsql.instances.connect and cloudsql.instances.get which are in the role roles/cloudsql.client (Cloud SQL Client). 2) I don't remember what the Cloud Run Service Agent roles are set to by default. 3) You do not state what you are doing with Cloud SQL, so you may need more permissions. Start with roles/cloudsql.editor and then adjust down once you have everything working. Review the documentation so that you understand Cloud SQL permissions: cloud.google.com/sql/docs/mysql/project-access-control Commented Nov 17, 2019 at 2:41

2 Answers 2

Reset to default
6

Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser role, allowing it to impersonate the Cloud Run runtime service account during the build.

gcloud iam service-accounts add-iam-policy-binding
  [email protected]
  --member="serviceAccount:[email protected]"
  --role="roles/iam.serviceAccountUser"

See Cloud Run deployment permissions for more info.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I got this exception: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: The member [email protected] is of an unknown type. Please set a valid type prefix for the member.
I'm not sure right now, try following the doc I linked, it has more info and I don't want to try to copy/paste the whole thing into the answer.
@hackinteachk - The error means a typo in the Cloud Build SA. You need to add serviceAccount: in front: --member=serviceAccount:[email protected]
Travis - you are missing the serviceAccount: in your answer. Other than that your answer is correct. --member=serviceAccount:[email protected]
@TravisWebb still doesn't work to me. same error : ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
|
0

I am using a service account to deploy a cloud run function with sql connections. I found that the service account needs the following permissions:

  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.