Correct permissions for Google Cloud Build to deploy a Cloudfunction in a separate project

3
votes

We have separate GCP projects for "build" and "prod" environments. I would like to use Cloud Build for the "build" project to deploy a Cloud Function in the "prod" project. When following the documentation.

Notably, I added the "Cloud Functions Developer" role to the build service account in the build project and the "IAM Service Account User" role to the [email protected] account as noted in the docs and in this question, when running a build, I get:

ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]

A simplified example of my cloudbuild.yaml is

steps:
  - name: 'gcr.io/cloud-builders/gcloud'
    args: ['source', 'repos', 'clone', 'a_mirrored_repo', '--project=build-xxxx']

 - name: 'gcr.io/cloud-builders/gcloud'
   args: ['functions', 'deploy', 'some_function', '--trigger-http', '--runtime', 'python37', '--project', 'prod-yyyy']

I am able to deploy my fucntion to prod using the gsutil command line utility from my laptop, and I am able to use my cloudbuild.yaml to deploy this function to the build project. But I'm unsure what roles I need to assign to what accounts to enable the build project to deploy the cloudfunction to the prod project.

1
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-buildgoogle-cloud-iam

1 Answers

2
votes

If you want to deploy the function in the prod project then the Cloud Build service account of the build project must be added as a "Cloud Functions Developer" in the prod project. If I understand your description correctly, then you've set it in the build project.

Specifically: in the GCP console, in the prod project, under IAM > members add a new member named [build-project-id]@cloudbuild.gserviceaccount.com and add the role "Cloud Functions Developer" to this member. At this point attempting to deploy may result in an error message:

ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[Missing necessary permission iam.serviceAccounts.actAs for [email protected] on project prod-xxxx.

Please grant [email protected] the roles/iam.serviceAccountUser role.

You can do that by running 'gcloud projects add-iam-policy-binding prod-xxxx [email protected] --role=roles/iam.serviceAccountUser'

The command suggested in the error message is slightly incorrect. The correct syntax is:

gcloud projects add-iam-policy-binding prod-xxxx --member='serviceAccount:[build-project-number]@cloudbuild.gserviceaccount.com' --role='roles/iam.serviceAccountUser'