Permission error when trying to deploy to Google Cloud Run

8
votes

I'm getting a permission error when trying to deploy an image to cloud run:

gcloud beta run deploy endpoints_proxy \
    --image="gcr.io/endpoints-release/endpoints-runtime-serverless:1.30.0" \
    --allow-unauthenticated

This is the error:

ERROR: (gcloud.beta.run.deploy) User [email-goes-here] does not have permission to access namespace [project-id-goes-here] (or it may not exist): Cloud Run does not have permission to get access tokens for the default compute service account, [email protected]. Please give Google Cloud Run Service Agent the permission iam.serviceAccounts.getAccessToken on the default compute service account.

My account has owner and editor permissions, I even tried attaching the Cloud Run Service Agent role.

I also tried adding these roles to the "default compute service account" listed in the error, didn't work.

2
google-cloud-platformgoogle-cloud-run

2 Answers

16
votes

The error message is very misleading, the error occurs because the Cloud Run Service Agent was missing.

After creating the following service account:

Name: service-<account-id>@serverless-robot-prod.iam.gserviceaccount.com
Role: Google Cloud Run Service Agent

The problem got solved. Looks like Cloud Run needs this service account to work, so don't ever delete it :)

1
votes

You should enable permissions to the Cloud Build service account. It won't work unless you do so.

Google Cloud Console > Cloud Build > Cloud Build Settings > enable access to the GCP services that you are using. (see the images attached)

Cloud Build Panel

Cloud Build Panel - enable services that you want