Search code examples
google-cloud-platformgoogle-cloud-buildgoogle-cloud-run

Why am I seeing this error: 'ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission' while deploying container?

Assume I have a cloudbuild.yaml file like the one below. Also assume that I can run and deploy the container in question manually when using gcloud for the separate functionalities (building and running).

When deploying, the third step is resulting in the error ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission

steps:
# Build the container image
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA', '.']
# Push the image to Container Registry
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA']
# Deploy image to Cloud Run
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - 'run'
  - 'deploy'
  - '[SERVICE_NAME]'
  - '--image'
  - 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA'
  - '--region'
  - '[REGION]'
  - '--platform'
  - 'managed'
images:
- gcr.io/[PROJECT_ID]/[IMAGE]
Solution

  • See the docs at:

    https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#before_you_begin


    You need to follow the steps available there:

    1. Grant the Cloud Run Admin role to the Cloud Build service account:

      • In the Cloud Console, go to the Cloud Build Settings page:

      • Open the Settings page

      • Locate the row with the Cloud Run Admin role and set its Status to ENABLED.

      • In the Additional steps may be required pop-up, click Skip.

    2. Grant the IAM Service Account User role to the Cloud Build service account on the Cloud Run runtime service account:

      • In the Cloud Console, go to the Service Accounts page:

      • Open the Service Accounts page

      • In the list of members, locate and select [PROJECT_NUMBER][email protected]. This is the Cloud Run runtime service account.

      • Click SHOW INFO PANEL in the top right corner.

      • In the Permissions panel, click the Add Member button.

      • In the New member field, enter the email address of the Cloud Build service account. This is of the form [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. Note: The email address of Cloud Build service account is different from that of Cloud Run runtime service account.

      • In the Role dropdown, select Service Accounts, and then Service Account User.

      • Click Save.

    In my case, the @cloudbuild account wasn't showing up in the IAM suggestions in step 2, but if you perform step 1, and run your build, the error message will change to something similar to the redacted message below, which contains the account you need.

    ERROR: (gcloud.run.deploy) User [<SOME_NUMBER_HERE>@cloudbuild.gserviceaccount.com] does not have permission to access namespace [<YOUR_PROJECT_ID>] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account <SOME_OTHER_NUMBER_HERE>[email protected] (or it may not exist).