I have two GCP projects, one for continuous integration builds, and one for the team project.
com-build : contains
- triggers on code-repository
- docker images
service account : [email protected] with roles service-account-administrator and cloudbuild-service-account
g iam service-accounts get-iam-policy [email protected] --project=com-build
--> etag: ACAB
com-project: contains
- templates for VM
- VMs
service account : [email protected] with roles service-account-administrator and compute-instance-administrator
g iam service-accounts get-iam-policy [email protected] --project=com-project
--> etag: ACAB –
I setup the cloudbuild.json file to update its container on code push, like this :
{
"steps": [
{
"name": "gcr.io/cloud-builders/docker",
"args": [
"build",
"-t",
"****:latest",
"."
]
},
{
"name": "gcr.io/cloud-builders/docker",
"args": [
"push",
"***:latest"
]
},
{
"name": "gcr.io/cloud-builders/gcloud",
"args": [
"compute",
"instances",
"update-container",
"***",
"--project=com-project",
"--zone=somewhere"
]
}
]
}
I get the following error :
ERROR: (gcloud.compute.instances.update-container) The user does not have access to service account '[email protected]'. User: '[email protected]'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
But both service-accounts have the role (I checked 20 times on iam settings) am I missing something ?
gcloud
command (and the commands that you used). – John Hanleyroles/iam.serviceAccountUser
to the service account. cloud.google.com/iam/docs/… – John Hanley[email protected]
service account misses the permission to update the container image. AtIAM & admin > Roles
search forcompute.images.update
(possibly the permission to executeupdate-container
) to choose one of the available Roles that has this permission – manasouza