Menu
When creating a new service account to handle Container Builder jobs, the jobs fail with the following error despite the service account having Cloud Container Builder , Logs Viewer and Private Logs viewer:
ERROR: (gcloud.container.builds.submit) HTTPError 403:
<?xml version='1.0' encoding='UTF-8'?>
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>[email protected] does not have storage.objects.get access to object redacted.cloudbuild-logs.googleusercontent.com/log-20117c17-f2b4-4159-9883-104ddd7bb232.txt.
</Details>
</Error>
I understand the error points to storage.objects.get permissions over a file on cloud storage, but this is not a bucket we can set acl for is it ?
653
Here is the quote from David Bendory (Tech Lead for the Google Cloud Container Builder) from this thread:
GCS permissions predate IAM and thus work a little differently. To view the logs, the Service Account in question needs to be a Viewer on the project in addition to have the Builder Editor role.
106
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
