Search code examples
google-cloud-platformgoogle-cloud-sqlgoogle-cloud-rungoogle-cloud-buildgoogle-cloud-iam

How to use cloud build to deploy cloud run with cloud sql on google cloud?

My cloudbuild.yaml file (I have built a docker image and pushed it to gcr)

This application using mysql on Cloud SQL. So needs to connect to it.

steps:
  - id: cloud-run
    name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: gcloud
    args:
      - 'run'
      - 'deploy'
      - 'my-service'
      - '--image'
      - 'asia.gcr.io/$_PROJECT_ID/my-service:$_COMMIT_SHA'
      - '--region'
      - 'asia-northeast1'
      - '--platform'
      - 'managed'
      - '--service-account'
      - '$_CLOUD_RUN_PUBSUB_INVOKER'
      - '--add-cloudsql-instances'
      - '$_MYSQL_MAIN_INSTANCE_NAME'
      - '--set-env-vars'
      - 'MYSQL_MAIN_CONNECTIONS=$_MYSQL_MAIN_CONNECTIONS'
      - '--set-env-vars'
      - 'MYSQL_MAIN_INSTANCE_NAME=$_MYSQL_MAIN_INSTANCE_NAME'
      - '--set-env-vars'
      - 'MYSQL_MAIN_DB=$_MYSQL_MAIN_DB'
      - '--set-env-vars'
      - 'MYSQL_MAIN_USER=$_MYSQL_MAIN_USER'
      - '--set-env-vars'
      - 'MYSQL_MAIN_PASSWORD_SECRET_ID=$_MYSQL_MAIN_PASSWORD_SECRET_ID'
      - '--set-env-vars'

When ran build to submit, got Cloud SQL API not activated error

$ gcloud builds submit
Creating temporary tarball archive of 5 file(s) totalling 47.4 KiB before compression.
Uploading tarball of [.] to [gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/my-project/locations/global/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/b4e1bf9c-bc06-4ce8-b252-3b34f164719d?project=421686839359].
---------------------------------------------------------------------------------------------- REMOTE BUILD OUTPUT -----------------------------------------------------------------------------------------------
starting build "b4e1bf9c-bc06-4ce8-b252-3b34f164719d"

FETCHSOURCE
Fetching storage object: gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932
Copying gs://my-project_cloudbuild/source/1610067564.911628-8d7f3de581ca4b8faa57bd5a8ea75ef1.tgz#1610067566084932...
/ [1 files][ 17.1 KiB/ 17.1 KiB]
Operation completed over 1 objects/17.1 KiB.
BUILD
Pulling image: gcr.io/google.com/cloudsdktool/cloud-sdk
Using default tag: latest
latest: Pulling from google.com/cloudsdktool/cloud-sdk
6c33745f49b4: Already exists
...
ffa0764d79dc: Pull complete
Digest: sha256:3f32cb39cdfe8902bc85e31111a9f1bc7cbd9d37f31c6164f2b41cfdaa66284f
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/cloud-sdk:latest
gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Skipped validating Cloud SQL API and Cloud SQL Admin API enablement due to an issue contacting the Service Usage  API. Please ensure the Cloud SQL API and Cloud SQL Admin API are activated (see https://console.cloud.google.com/apis/dashboard).
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
ERROR
ERROR: build step 0 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ERROR: (gcloud.builds.submit) build b4e1bf9c-bc06-4ce8-b252-3b34f164719d completed with status "FAILURE"

I have checked dashboard https://console.cloud.google.com/apis/dashboard, both Cloud SQL API and Cloud SQL Admin API are activated.

I also ran permission setting by https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#continuous-iam

gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
  --role="roles/iam.serviceAccountUser"

But still the same error.

Solution

  • It seems the error is about the IAM permission.

    PERMISSION_DENIED: The caller does not have permission

    You also need to follow the Required IAM permission steps in this document:

    To deploy to Cloud Run (fully managed) grant the Cloud Run Admin and Service Account User roles to the Cloud Build service account:

    1. In the Cloud Console, go to the Cloud Build Settings page:

    2. Open the Settings page

    3. In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED:

    4. In the Additional steps may be required pop-up, you click Skip or click GRANT ACCESS TO ALL SERVICE ACCOUNTS.