Menu
I am writing a GitHub Action to deploy my application to GCP's "Cloud Run" service.
name: Deploy to production
on:
push:
branches:
- master
env:
PROJECT_ID: XXX
SERVICE_NAME: XXX
RUN_REGION: XXX
PACKAGE_VERSION : XXX
permissions:
contents: read
id-token: write
jobs:
deployment-job:
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v2
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v0
with:
workload_identity_provider: XXX
service_account: XXX
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@v0
with:
service: ${{ env.SERVICE_NAME }}
source: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE_NAME }}:${{ env.PACKAGE_VERSION }} # equivalent to "gcloud builds submit ..."
region: ${{ env.RUN_REGION }}
tag: ${{ env.PACKAGE_VERSION }}
I run into this error :
ERROR: (gcloud.beta.run.deploy) The user is forbidden from accessing the bucket [XXX]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission
I tried to add this permission to my service account but I am still running on the same error :
gcloud projects add-iam-policy-binding XXX --member=serviceAccount:XXX --role=roles/serviceusage.serviceUsageAdmin
I set up the Workload Identity Federation from this tutorial.
347
asked Oct 17 '25 11:10
Grant Storage Admin role to the service account instead of Storage Object Admin to allow your Github Action to deploy using the workflow template.
I had this error when setting up Workload Identity to a Github Action. The error message is weird but the issue is in the workflow template. The template instructs you to grant Storage Objects Admin, but from the required permissions page also linked in the template, it says we need to grant Storage Admin.
You may need to also grant the Service Usage Consumer role; I had it already so I'm not sure if it is required.
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
