Search code examples
google-cloud-run

Permission denied (403) using Cloud Run Job execute's --update-env-vars (override) argument

When logged in as the project owner (full rights) and using the latest gcloud cli (v432.0.0), I am unable to execute a Cloud Run job (403 permission error) using the --update-env-vars argument. I can execute the same job without the argument. The project owner has iam.serviceAccountUser role on the job's service account.

Steps to reproduce my error:

# create a service account for job
gcloud iam service-accounts create sa-cloud-run-job
SERVICE_ACCOUNT=$(gcloud iam service-accounts list --filter='email:sa-cloud-run-job@*' --format='value(email)')

# grant current user the iam.serviceAccountUser role on job's service account 
USER_ACCOUNT=$(gcloud config get-value account)
gcloud iam service-accounts add-iam-policy-binding ${SERVICE_ACCOUNT} --member="user:${USER_ACCOUNT}" --role='roles/iam.serviceAccountUser'

# create the hello-world cloud run job
gcloud alpha run jobs create hello-world-job --image hello-world --service-account=${SERVICE_ACCOUNT} --region us-central1

# execute job without --update-env-vars (WORKS)
gcloud alpha run jobs execute hello-world-job --region=us-central1 

# execute job with --update-env-vars (JOB DOES NOT RUN - 403 error)
gcloud alpha run jobs execute hello-world-job --region=us-central1 --update-env-vars=FOO=BAR

Error Output:

X Creating execution...                                                                                                                                                       
  . Provisioning resources...                                                                                                                                                 
Executing job failed                                                                                                                                                          
ERROR: (gcloud.alpha.run.jobs.execute) PERMISSION_DENIED: The caller does not have permission

For clarification, the hello-world image is not dependent on environment values. It was just used to demonstrate that the simplest image will not execute with the --update-env-vars argument.

Argument appears to be an alpha feature and documentation is currently lacking. I tried granting both the project owner and service account various roles (e.g. roles/run.developer) and I still encountered the same error. I granted the roles both at the project and resource binding level. Not sure which permissions are required.

Solution

  • Private preview/alpha features in Cloud Run only work if your project has been specifically enabled for that alpha feature.

    I suggest either using "update" followed by "execute", or waiting until the feature reaches Beta.