Unable to submit build to Cloud Build due to permissions error

Asked 26/7, 2021 at 21:18 Answered 17/3 at 6:7

google-cloud-platform google-cloud-storage google-cloud-build

When submitting a Cloud Build run via gcloud builds submit ... I'm getting a forbidden error saying I don't have access to the bucket(s). There are 2 places where buckets are normally involved in submitting a Cloud Build, the staging and logs bucket. I specified the buckets for each as buckets (the same one, just different folders) that I do have access too so the command looks like this:

gcloud builds submit 
--gcs-log-dir $my_bucket/logs 
--gcs-source-staging-dir $my_bucket/source

The error I get is:

ERROR: (gcloud.builds.submit) 403: The user is forbidden from accessing the bucket [$my_bucket]: Please check your organization's policy.

I re-ran with --log-http and --verbosity debug and the expanded error shows the real reason:

DEBUG: https://storageapis.google.com "GET /storage/v1/b/$my_bucket?alt=json"
... 
{
  "error": {
    "code": 403,
    "message": "$user does not have serviceusage.services.use access to the Google Cloud Project."
  }
}

I did some digging and see that's this error shows up when supplying a quota/billing project with the request (in addition to not having service consumer role). I confirmed this when inspecting the request's HTTP headers which included X-Goog-User-Project: $my_project.

What's weird is that I have access to objects in this bucket and can run gsutil/HTTP commands just fine which are using the same API endpoints with the difference being that gsutil doesn't include that user project in the request.

Is there a way to submit a build that doesn't include the project so that I don't need serviceusage.services.use permission? I tried unsetting the project in my gcloud config but it prompted me that I needed to either set it or pass it with --project flag.

edit: the bucket isn't "requester pays" enabled either which is why gsutil and client libraries work fine

Motet answered 26/7, 2021 at 21:18 Comment(4)

Why do you not want to specify a project? – Regurgitation 26/7, 2021 at 23:2

For me the problem was: [email] does not have storage.buckets.list access to the Google Cloud project. I checked this when used gcloud builds submit --log-http command. – Almaalmaata 23/9, 2021 at 12:11

@Motet have you solved the problem? – Inquire 17/12, 2021 at 3:52

And for me it was <service-account-email> does not have storage.buckets.create access to the Google Cloud project. Setting the --verbosity=debug --log-http flags was what precisely got me that error message. The default-shown error message was pretty useless. – Stanfordstang 12/10, 2022 at 1:6

The only reason why you are having this error is you have to enable your billing in order to build your bucket.

I have enabled it when I was trying the tutorial by clicking the "Create a Cloud Storage Bucket" under Getting started at the left side of your Dashboard. Just follow the instructions and you will see the "Enable Billing". Once you have enabled the Billing, you don't need to finish the Tutorial. Go back to your work and run the

$ gcloud build submit

and it's done!

Multidisciplinary answered 26/3, 2022 at 17:59 Comment(2)

yeah, this question was originally for an issue in an enterprise env where we don't have access to enable/disable billing, but definitely is something anyone reading this now should check if they run into the same issue. – Motet 27/3, 2022 at 18:10

That was the case for me as well. Simply navigate to the Welcome page on the GCP and hit Billing tab, then activate the billing. – Stipendiary 1/7 at 19:28

According to the GCP documentation:

To run gcloud builds commands, users with only cloudbuild.builds.viewer or cloudbuild.builds.editor roles also require the serviceusage.services.use permission. To give this permission to the user, grant them the serviceusage.serviceUsageConsumer role.

Edit your user on IAM & Admin choosing your user and type "Service Usage Consumer".

However, review your policies and roles because I beliave that this option is for clean users created from the scratch without any other permissions than Object Storage roles.

Gamut answered 30/12, 2022 at 18:3 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Lugubrious 2/1, 2023 at 1:57

I'm not sure you can run a cloud build without specifying a project. As far as I know, gcloud commands run within a project so it's needed.

If you want to use a different service account you can use service account impersonation adding --impersonate-service-account flag.

For this gcloud invocation, all API requests will be made as the given service account instead of the currently selected account.

Osithe answered 26/7, 2021 at 21:41 Comment(0)

My issue with this message was literally a permission gap. To solve the problem you can visit the service-usage-access-control-reference page (there you can find the serviceusage.services.use permission that you need).

Based on permissions there, you can use for example the roles/serviceusage.serviceUsageAdmin permission in your service account.

In my case i did the following:

gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:YOUR_SA" --role="roles/serviceusage.serviceUsageAdmin"

You can use different permissions based on your needs, for example: roles/serviceusage.serviceUsageConsumer

Finishing the command i was able to run gh action (gcloud builds submit) using the service account.

Service account creation ref: service accounts create docs

Parrett answered 17/3 at 6:7 Comment(0)

I had a similar error log, I'm running gcloud with docker image google/cloud-sdk:alpine:

googlecloudsdk.command_lib.builds.submit_util.BucketForbiddenError: The user is forbidden from accessing the bucket [xxxx]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission. Giving the user Owner, Editor, or Viewer roles may also fix this issue. Alternatively, use the --no-source option and access your source code via a different method.

I added the Role Cloud Build Service Agent to my service account.

Full list of roles the service account:

Cloud Run Admin
Storage Insights Collector Service
Storage Object Creator
Storage Object Viewer

Gcloud version:

Google Cloud SDK 453.0.0
bq 2.0.98
bundled-python3-unix 3.9.17
core 2023.10.27
gcloud-crc32c 1.0.0
gsutil 5.27

Valance answered 7/11, 2023 at 13:13 Comment(1)

Google says not to do this: "Warning: Do not grant service agent roles to any principals except service agents. Some service agent roles contain very powerful permissions, and the permissions within these roles can change without notice. Instead, choose a different predefined role, or create a custom role with the permissions you need." – Crownpiece 18/7 at 14:26

Recommended topics

Hot tags