ERROR: (gcloud.beta.functions.deploy) ... message=[The caller does not have permission]

Question

I am trying to deploy code from this repo:

https://github.com/anishkny/puppeteer-on-cloud-functions

in Google Cloud Build. My cloudbuild.yaml file contents are:

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['beta', 'functions', 'deploy', 'screenshot', '--trigger-http', '--runtime', 'nodejs8', '--memory', '1024MB']

I have given the following roles to my Cloud Build Service account (****@cloudbuild.gserviceaccount.com):

• Cloud Build Service Account
• Cloud Functions Developer

Yet, in my Cloud Build log I see the following error:

starting build "1f04522c-fe60-4a25-a4a8-d70e496e2821"

FETCHSOURCE
Fetching storage object: gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047
Copying gs://628906418368.cloudbuild-source.googleusercontent.com/94762cc396ed1bb46e8c5dbfa3fa42550140c2eb-b3cfa476-cb21-45ba-849c-c28423982a0f.tar.gz#1534532794239047...
/ [0 files][    0.0 B/  835.0 B]                                                
/ [1 files][  835.0 B/  835.0 B]                                                
Operation completed over 1 objects/835.0 B.                                      
tar: Substituting `.' for empty member name
BUILD
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.beta.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: exit status 1

What am I missing?

Answer 1

It would appear that the permissions changed when (perhaps) Cloud Functions went GA. Another customer raised this issue today and I recalled your question.

The Cloud Build robot (${NUM}@cloudbuild.gserviceaccount.com) additionally needs to be a serviceAccountUser of the ${PROJECT-ID}@appspot.gserviceaccount.com account:

NB While the Cloud Build robot local part is the project number (${NUM}), the appspot robot local part is the project ID (${PROJECT})

Please try:

PROJECT=[[YOUR-PROJECT-ID]]

NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')

gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}

Let me know!

Answer 2

I struggled with this too after reading quite a bit of documentation. A combination of the above answers got me on the right track. Basically, something like the following is needed:

PROJECT=[PROJECT-NAME]

NUM=$(gcloud projects describe $PROJECT --format='value(projectNumber)')

gcloud iam service-accounts add-iam-policy-binding \
${PROJECT}@appspot.gserviceaccount.com \
--member=serviceAccount:${NUM}@cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT}

gcloud iam service-accounts add-iam-policy-binding \
    ${PROJECT}@[INSERT_YOUR_IAM_OWNER_SERVICE_ACCOUNT_NAME].iam.gserviceaccount.com \
    --member='serviceAccount:service-${NUM}@gcf-admin-robot.iam.gserviceaccount.com' \
    --role='roles/iam.serviceAccountUser'  

Also, I added the "Cloud Functions Developer" role to my @cloudbuild.gserviceaccount.com account via the IAM Console.