Login/Register
Cloud build permission denied when deploy to cloud run with "--set-sql-instance" argument
Asked Answered
Solved google-cloud-platformgoogle-cloud-sqlgoogle-cloud-buildgoogle-cloud-run
P

2

6

I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs. I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" as one of the args, it throws error on cloud build as follows:

Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1

Following is my cloudbuild.yml

steps:
  - name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
      - --cache=true
  - name: 'gcr.io/cloud-builders/gcloud'
    args: [
      "beta", "run",
      "deploy", "${_SERVICE_NAME}-${_PROFILE}",
      "--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
      "--region", "${_REGION}",
      "--platform", "managed",
      "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
      "--allow-unauthenticated",
      "--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
    ]
images:
  - gcr.io/${PROJECT_ID}/${_IMAGE_NAME}

and I already set roles/permission for service account as follow:

  • {PROJECT_ID}[email protected] : Editor, Cloud Sql Client <-- Default SA
  • <Cloud run service agent> : Cloud Run Service Agent, Cloud SQL Client
  • <Cloud Build SA> : Cloud Build SA, Cloud Run Admin

My Cloud Run service also use default service account as its SA

Psychopathist answered 16/11, 2019 at 18:22 Comment(10)
Is your command work if you run it manually?Hackathorn
@guillaumeblaquiere i'm not sure about locally but using cloud run console page to deploy, it worksPsychopathist
@guillaumeblaquiere updated: I can deploy it locally and manually from cloud run console tooPsychopathist
@JohnHanley 1) what cloud sql permission should I grant ? (I tried Cloud SQL Admin and it still doesn't work) 2) Just to make sure, the default cloud run SA has only Cloud Run Service Agent role right ?Psychopathist
1) You need the permission cloudsql.instances.connect and cloudsql.instances.get which are in the role roles/cloudsql.client (Cloud SQL Client). 2) I don't remember what the Cloud Run Service Agent roles are set to by default. 3) You do not state what you are doing with Cloud SQL, so you may need more permissions. Start with roles/cloudsql.editor and then adjust down once you have everything working. Review the documentation so that you understand Cloud SQL permissions: cloud.google.com/sql/docs/mysql/project-access-controlKex
@JohnHanley I already granted roles/cloudsql.admin to Cloud Build SA and it still permission denied i'm not sure i understand number 3) You do not state what you are doing with Cloud SQLPsychopathist
Review Travis Webb's answer. I forgot that you also need an additional permission for the Cloud Build SA. Whenever a service also has a service account attached to it, you need the iam.serviceAccounts.actAs permission. Travis' link provides more details.Kex
@JohnHanley I've added that permission to cloud build SA but it still doesn't work. Just to recap, cloud build SA should have ServiceAccountUser role in my SA and Cloud SQL Admin/Client in IAM policy that's right ?Psychopathist
@JohnHanley updated, i've managed to make it run successfully :) adding CloudSQL Admin to Cloud Build SAPsychopathist
For the future, see my so answer here #59557508Jer
J
6

Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser role, allowing it to impersonate the Cloud Run runtime service account during the build.

gcloud iam service-accounts add-iam-policy-binding
  [email protected]
  --member="serviceAccount:[email protected]"
  --role="roles/iam.serviceAccountUser"

See Cloud Run deployment permissions for more info.

Jelena answered 17/11, 2019 at 4:28 Comment(7)
I got this exception: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition. ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: The member [email protected] is of an unknown type. Please set a valid type prefix for the member.Psychopathist
I'm not sure right now, try following the doc I linked, it has more info and I don't want to try to copy/paste the whole thing into the answer.Jelena
@Psychopathist - The error means a typo in the Cloud Build SA. You need to add serviceAccount: in front: --member=serviceAccount:[email protected]Kex
Travis - you are missing the serviceAccount: in your answer. Other than that your answer is correct. --member=serviceAccount:[email protected]Kex
@TravisWebb still doesn't work to me. same error : ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permissionPsychopathist
@TravisWebb updated: I can run it now, sorry I should have add Cloud SQL Admin role to Cloud Build SAPsychopathist
Ok, you needed both serviceAccountUser and SQL Admin? Am I understanding correctly?Jelena
P
0

I am using a service account to deploy a cloud run function with sql connections. I found that the service account needs the following permissions:

  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Phototype answered 15/2, 2020 at 15:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.