Menu
Assume I have a cloudbuild.yaml file like the one below. Also assume that I can run and deploy the container in question manually when using gcloud for the separate functionalities (building and running).
When deploying, the third step is resulting in the error ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
steps:
# Build the container image
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA', '.']
# Push the image to Container Registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA']
# Deploy image to Cloud Run
- name: 'gcr.io/cloud-builders/gcloud'
args:
- 'run'
- 'deploy'
- '[SERVICE_NAME]'
- '--image'
- 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA'
- '--region'
- '[REGION]'
- '--platform'
- 'managed'
images:
- gcr.io/[PROJECT_ID]/[IMAGE]
901
The caller does not have permission to access projectThis error occurs if the account that you used to deploy your app does not have permission to deploy apps for the current project. To resolve this issue, grant the App Engine Deployer ( roles/appengine. deployer ) role to the account.
Cloud Run is a managed compute platform that enables you to run containers that are invocable via requests or events. Cloud Run is serverless: it abstracts away all infrastructure management, so you can focus on what matters most — building great applications.
https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#before_you_begin
Grant the Cloud Run Admin role to the Cloud Build service account:
In the Cloud Console, go to the Cloud Build Settings page:
Open the Settings page
Locate the row with the Cloud Run Admin role and set its Status to ENABLED.
In the Additional steps may be required pop-up, click Skip.
Grant the IAM Service Account User role to the Cloud Build service account on the Cloud Run runtime service account:
In the Cloud Console, go to the Service Accounts page:
Open the Service Accounts page
In the list of members, locate and select [PROJECT_NUMBER][email protected]. This is the Cloud Run runtime service account.
Click SHOW INFO PANEL in the top right corner.
In the Permissions panel, click the Add Member button.
In the New member field, enter the email address of the Cloud Build service account. This is of the form [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. Note: The email address of Cloud Build service account is different from that of Cloud Run runtime service account.
In the Role dropdown, select Service Accounts, and then Service Account User.
Click Save.
In my case, the @cloudbuild account wasn't showing up in the IAM suggestions in step 2, but if you perform step 1, and run your build, the error message will change to something similar to the redacted message below, which contains the account you need.
ERROR: (gcloud.run.deploy) User [<SOME_NUMBER_HERE>@cloudbuild.gserviceaccount.com] does not have permission to access namespace [<YOUR_PROJECT_ID>] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account <SOME_OTHER_NUMBER_HERE>[email protected] (or it may not exist).
To do this via the gcloud CLI:
gcloud run services add-iam-policy-binding [CLOUD_RUN_SERVICE_NAME] \
--member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT EMAIL] \
--role=roles/run.admin \
--project=$PROJECT \
--region=$REGION
gcloud iam service-accounts add-iam-policy-binding [SERVICE ACCOUNT THAT CLOUD RUN RUNS AS] \
--member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT] \
--role roles/iam.serviceAccountUser
--project=$PROJECT \
--region=$REGION
I'm using Firebase Functions to deploy a new Cloud Run instance via Cloud Build so I had to also add Cloud Build Service Account permission to my service account used in my functions (in addition to following @derekbaker783's answer)
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
