Google Cloud Run Deploy error: Missing necessary permission error - google-cloud-run

When trying to deploy my container (or the hello world container) to google cloud run I receive this error:
ERROR: (gcloud.run.deploy) Cloud Run error: Internal system error. Missing necessary permission for service-<ID>#serverless-robot-prod.iam.gserviceaccount.com on resource <PROJECT ID>
I can see that the service account mentioned in the error is in my IAM dashboard and has the Google Cloud Run Service Agent role. I even tried giving it the Owner role, but it didn't work.
I tried including the --service-account flag with the same service account and receive this error:
PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account service-<ID>#serverless-robot-prod.iam.gserviceaccount.com (or it may not exist).
Which I know doesn't make sense.
I also tried this deploy through the console ui, but received the same error (the first one).
How do I fix this permission error?

I order to assign the iam.serviceAccounts.actAs permission you have to set the roles/iam.serviceAccountUser role.
You can do this by going to the Console > IAM & Admin and setting the Service Account User role to your service account.
Also, confirm that the Cloud Run runtime service account also has the iam.serviceAccounts.actAs permission. This is a requirement specified in the Cloud Run deployment permissions docs

As Dustin mentioned, there was an outage affecting IAM permissions. Now that the outage has been resolved, my deployment is working!

Related

Permission error in GCP when creating a new compute instance but service account does have permissions

I am running a cloudbuild.yaml job in Google Cloud Platform that builds, pushes and tags a Docker Image and then it creates a Compute Engine instance to run that image via gcr.io/cloud-builders/gcloud.create-with-container. I also specify a service account to be used in this step:
- id: "Create Compute Engine instance"
name: gcr.io/cloud-builders/gcloud
args: [
'compute',
'instances',
'create-with-container',
'${INSTANCE_NAME}',
'--container-image',
'eu.gcr.io/${PROJECT_ID}/${PROJECT_ID}-${REPO_NAME}',
'--zone',
'${ZONE}',
'--service-account',
'${SERVICE_ACCOUNT},
'--machine-type',
'n2-standard-4'
]
However I am getting an error:
Already have image (with digest): gcr.io/cloud-builders/gcloud
ERROR: (gcloud.compute.instances.create-with-container) Could not fetch resource:
- Required 'compute.instances.create' permission for 'projects/...'
The service account in use does have the permissions for that as it has been assigned "role": "roles/compute.instanceAdmin.v1", which includes compute.instances.* as per documentation.
Anyone has experienced this or a similar situation and can give a hint on how to proceed? Am I missing something obvious? I have tried using other service accounts, including the project default compute account and get the same error. One thing to note is I do not specify a service account for Docker steps (gcr.io/cloud-builders/docker).
Make sure that you are not misinterpreting service accounts.
There is a special service account used by Cloud Build.
There is also the service account to "be used" by the VM/instance you are creating.
The "compute.instances.create" permission should be granted to the special Cloud Build account, not to the account for the instance.
The Cloud Build account has a name like 123123123#cloudbuild.gserviceaccount.com.
In the Cloud Console go to Cloud Build -> Settings -> Service Accounts
and check if correct permissions are granted.

GCP Cloud Run Cannot Pull Image from Artifact Registry in Other Project

I have a parent project that has an artifact registry configured for docker.
A child project has a cloud run service that needs to pull its image from the parent.
The child project also has a service account that is authorized to access the repository via an IAM role roles/artifactregistry.writer.
When I try to start my service I get an error message:
Google Cloud Run Service Agent must have permission to read the image,
europe-west1-docker.pkg.dev/test-parent-project/docker-webank-private/node:custom-1.
Ensure that the provided container image URL is correct and that the
above account has permission to access the image. If you just enabled
the Cloud Run API, the permissions might take a few minutes to
propagate. Note that the image is from project [test-parent-project], which
is not the same as this project [test-child-project]. Permission must be
granted to the Google Cloud Run Service Agent from this project.
I have tested manually connecting with docker login and using the service account's private key and the docker pull command works perfectly from my PC.
cat $GOOGLE_APPLICATION_CREDENTIALS | docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev
> Login succeeded
docker pull europe-west1-docker.pkg.dev/bfb-cicd-inno0/docker-webank-private/node:custom-1
> OK
The service account is also attached to the cloud run service:
You have 2 types of service account used in Cloud Run:
The Google Cloud Run API service account
The Runtime service account.
In your explanation, and your screenshot, you talk about the runtime service account, the identity that will be used by the service when it runs and call Google Cloud API.
BUT before running, the service must be deployed. This time, it's a Google Cloud Run internal process that run to pull the container, create a revision and do all the required internal stuff. To do that job, a service account also exist, it's named "service agent".
In the IAM console, you can find it: the format is the following
service-<PROJECT_NUMBER>#serverless-robot-prod.iam.gserviceaccount.com
Don't forget to tick the checkbox in the upper right corner to include the Google Managed service account
If you want that this deployment service account be able to pull image in another project, grant on it the correct permission, not on the runtime service account.

ERROR: (gcloud.run.services.update) PERMISSION_DENIED: Permission 'run.services.get' denied on resource 'namespaces/*/services/test-repo'

I have following permissions in google cloud.
BigQuery Admin
Cloud Functions Admin
Cloud Scheduler Admin
Compute Admin
Editor
Source Repository Administrator
Storage Admin
I am creating a cloud run container using cloud repository. But getting following error.
ERROR: build step 2 "gcr.io/google.com/cloudsdktool/cloud-sdk:slim"
failed: step exited with non-zero status: 1 ERROR Finished Step #2 -
"Deploy" Step #2 - "Deploy": ERROR: (gcloud.run.services.update)
PERMISSION_DENIED: Permission 'run.services.get' denied on resource
'namespaces/buypower-mobile-app/services/test-repo' (or resource may
not exist).
If you're using Cloud Build to deploy the Cloud Run service, then the error you’re getting is because the Service Account used by Cloud Build does not have sufficient permissions to update the Cloud Run service, according to the official documentation.
The specific error is that permission is denied on run.services.get. This method is part of either roles/run.admin or roles/run.developer. Both roles include the permission run.services.update, which it'll need.
To get it working, you will need to add that one of those roles to the Service Account that is being used by Cloud Build.
Along with #DazWilkin's answer I was having difficulty determining whether the service account actually had the run.services.update permission. Especially since I was using Github Actions with Workload Identity Pools for auth and impersonating a service account.
I'd recommend doing the following:
Check if your auth is working correctly
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth#v0'
with:
workload_identity_provider: 'projects/xxxxx/locations/global/workloadIdentityPools/my_pool/providers/my_provider'
service_account: 'my-service-account#{PROJECT_ID}.iam.gserviceaccount.com'
# this will make this step fail if auth fails
token_format: 'access_token'
Check if the service account used above and in the google-github-actions/deploy-cloudrun#v0 has the run.services.update permission. There are 2 places you can check.
a) Policy Troubleshooter - Use the service account, select your project, and enter the permission. This will immediately tell you whether you have the permission or not
b) Policy Analyzer - Create Custom query, use Permission as parameter, click continue and Run Query. This will show you all the principals that have the permission you're looking for
If your service account doesn't have the correct permission you need to add it from the IAM & Admin -> IAM page

Access problem with service account in gcloud from github actions

I'm quite new to github actions and gcloud. I have trouble to get my github-CI/CD-Pipeline running because I can't push any docker image to the google Cloud Registry due to access restrictions.
What have I done so far:
I have a Quarkus app hosted on github
I used github actions to build the Maven project and the docker image
I created a project in google Cloud and added a service account which I use for the github action. The login seems to work:
Run google-github-actions/setup-gcloud#master
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/ac85f67a-89fa-4eb4-8d30-3f6379124ec2 -f /home/runner/work/_temp/de491940-a4b1-4a15-bf0a-95d563e68362
/opt/hostedtoolcache/gcloud/342.0.0/x64/bin/gcloud --quiet config set project ***
Updated property [core/project].
Successfully set default project
/opt/hostedtoolcache/gcloud/342.0.0/x64/bin/gcloud --quiet auth activate-service-account github-actions#***.iam.gserviceaccount.com --key-file -
Activated service account credentials for: [github-actions#***.iam.gserviceaccount.com]
If I now try to push the docker image I get the following (expected) error message:
Run docker push "$GCR_HOSTNAME/$PROJECT_ID/$IMAGE:$IMAGE_TAG"
The push refers to repository [eu.gcr.io/***/***]
715ac1ae8693: Preparing
435cfe5f5775: Preparing
313d03d71d4d: Preparing
c5c8d86ccee1: Preparing
1b0f2238925b: Preparing
144a43b910e8: Preparing
4a2bc86056a8: Preparing
144a43b910e8: Waiting
4a2bc86056a8: Waiting
denied: Token exchange failed for project '***'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
Error: Process completed with exit code 1.
Next, I opened the Google Cloud Console and created a custom role (IAM & Admin -> Roles -> Create Role) which has the necessary permissions.
Then, I had trouble to assign my new custom role to the service account (IAM & Admin -> Service Accounts -> Manage Access -> Add member). I used the email address of the service account as "New members", but I could not choose the custom role I just created. What am I missing here?
I read somewhere that I can also add service accounts as member (IAM & Admin -> IAM -> Add). Again I used the email address of the service account as "New Members". This time I could choose my custom role. What's the difference to the first approach?
Anyways, if a I try to run the github action again, now I get the following error:
Run docker push "$GCR_HOSTNAME/$PROJECT_ID/$IMAGE:$IMAGE_TAG"
The push refers to repository [eu.gcr.io/***/***]
c4f14c9d3b6e: Preparing
fe78d438e8e2: Preparing
843fcae4a8f4: Preparing
dcf8cc80cedb: Preparing
45e8815b101d: Preparing
144a43b910e8: Preparing
4a2bc86056a8: Preparing
144a43b910e8: Waiting
4a2bc86056a8: Waiting
denied: Access denied.
Error: Process completed with exit code 1.
The error message is different, so I guess the permission for the service account somehow worked, but still I can't succeed. Which steps did I miss?
Any help is highly appreciated. Thanks a lot!
One way to debug this is to create a key for the service account on your local host, configure your script|gcloud to use the service account as its credentials and then try the push manually.
One immediate problem may be that you're not authenticating against Google Container Registry (GCR). GCR implements Docker's registry API and you'll need to use one of the mechanisms to authenticate before you can interact with the registry.
Notes:
I think you don't need to create a custom role. You have 2 options. Either (preferred) create an account specifically for the CI/CD job and grant it the minimum set of roles needed including storage.buckets.get. I think you can start with roles/storage.admin (link) and perhaps refine later.
You can grant roles e.g. roles/storage.admin to a Project in which case the permission applies to all Cloud Storage resources or to a specific Bucket in which case the permission applies only to the bucket and its objects.
Service Accounts have a dual role in GCP. As an identity and as a resource (that can be used by other identities). It can be confusing.

gcp docker push - permission denied

The default service account that a GCP VM use has been granted storage.buckets.* and storage.objects.* roles yet I get the error that storage.buckets.create permission isn't setup.
denied: Token exchange failed for project 'test-307504'. Caller does
not have permission 'storage.buckets.create'. To configure
permissions, follow instructions at:
https://cloud.google.com/container-registry/docs/access-control
The default service account is 123456789-compute#developer.gserviceaccount.com and I've created roles related to storage and assigned to the IAM service account and I ran the command gcloud auth configure-docker. But still I'm unable to push docker images to the GCR repository.
Is there something else I should be doing after assigning the roles to refresh on the VM?
Apart from permissions, check for the access scope at the VM level.
While you are at, read up on Using the Compute Engine Default Service Account and Best Practices too.

Resources