Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cloud build permission denied when deploy to cloud run with "--set-sql-instance" argument

Tags:

google-cloud-platform

google-cloud-run

google-cloud-build

google-cloud-sql

I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs. I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" as one of the args, it throws error on cloud build as follows:

Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1

Following is my cloudbuild.yml

steps:
  - name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
      - --cache=true
  - name: 'gcr.io/cloud-builders/gcloud'
    args: [
      "beta", "run",
      "deploy", "${_SERVICE_NAME}-${_PROFILE}",
      "--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
      "--region", "${_REGION}",
      "--platform", "managed",
      "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
      "--allow-unauthenticated",
      "--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
    ]
images:
  - gcr.io/${PROJECT_ID}/${_IMAGE_NAME}

and I already set roles/permission for service account as follow:

  • {PROJECT_ID}[email protected] : Editor, Cloud Sql Client <-- Default SA
  • <Cloud run service agent> : Cloud Run Service Agent, Cloud SQL Client
  • <Cloud Build SA> : Cloud Build SA, Cloud Run Admin

My Cloud Run service also use default service account as its SA

like image 771
hackinteachk Avatar asked Nov 16 '19 18:11

hackinteachk

Video Answer

1 Answers

Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser role, allowing it to impersonate the Cloud Run runtime service account during the build.

gcloud iam service-accounts add-iam-policy-binding
  [email protected]
  --member="serviceAccount:[email protected]"
  --role="roles/iam.serviceAccountUser"

See Cloud Run deployment permissions for more info.

like image 93
Travis Webb Avatar answered Sep 30 '22 07:09

Travis Webb
Sign in to Comment

Related questions

Is it possible to use Google Cloud CDN with App Engine Standard environment?
How to save receipt of Apple in-app Purchase in database?
Dialogflow send custom payload json from webhook
Process cannot access the file because it is being used by another process [Android] [Gradle]
Firestore Security Rules for Query with Array Contains
Why is Firestore rounding 64 bit integers?
How do I correlate request logs in Cloud Run?
How do I set up a Google Analytics Custom Dimension as a dimension filter in Data Studio report?
Angular Firebase Function Deploy Error: Cannot find module 'firebase/app'
ER_ACCESS_DENIED_ERROR CloudSQL
firebase function Error: Cannot find module when serving locally, out of the blue on previously working project
iOS App running on iOS 13 is resetting each time the user goes into background for at least 30sec
Firebase hosting caches Google Cloud Run requests
Firebase Search event Term not showing in analytics
Is it possible to increase the response timeout in Google App Engine?
How to Install git in google compute engine?
Send notification automatically from Firebase
What is the meaning of Google Translate query params?
Does firebase hosting benefit from CloudFlare?
Read data from cloud firestore with firebase cloud function?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!