Cloud build permission denied when deploy to cloud run with “--set-sql-instance” argument

5
votes

I'm trying to configure cloud build triggers which build maven springboot project and then deploy to cloud runs. I run into a problem where it works when i don't specify the cloud sql instance to be connected with, but when I add "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}" as one of the args, it throws error on cloud build as follows:

Step #1: ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission
Finished Step #1
ERROR
ERROR: build step 1 "gcr.io/cloud-builders/gcloud" failed: exit status 1

Following is my cloudbuild.yml

steps:
  - name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - --destination=gcr.io/$PROJECT_ID/${_IMAGE_NAME}
      - --cache=true
  - name: 'gcr.io/cloud-builders/gcloud'
    args: [
      "beta", "run",
      "deploy", "${_SERVICE_NAME}-${_PROFILE}",
      "--image", "gcr.io/${PROJECT_ID}/${_IMAGE_NAME}",
      "--region", "${_REGION}",
      "--platform", "managed",
      "--set-cloudsql-instances", "${_DATABASE_CONNECTION_NAME}",
      "--allow-unauthenticated",
      "--set-env-vars", "SPRING_PROFILES_ACTIVE=${_SPRING_PROFILE},DATABASE_CONNECTION_NAME=${_DATABASE_CONNECTION_NAME},DATABASE_NAME=${_DATABASE_NAME},DATABASE_USERNAME=${_DATABASE_USERNAME},DATABASE_PASSWORD=${_DATABASE_PASSWORD},MINIO_ACCESS_KEY=${_MINIO_ACCESS_KEY},MINIO_SECRET_KEY=${_MINIO_SECRET_KEY},MINIO_HOSTNAME=${_MINIO_HOSTNAME},MINIO_PORT=${_MINIO_PORT}"
    ]
images:
  - gcr.io/${PROJECT_ID}/${_IMAGE_NAME}

and I already set roles/permission for service account as follow:

  • {PROJECT_ID}[email protected] : Editor, Cloud Sql Client <-- Default SA
  • <Cloud run service agent> : Cloud Run Service Agent, Cloud SQL Client
  • <Cloud Build SA> : Cloud Build SA, Cloud Run Admin

My Cloud Run service also use default service account as its SA

2
google-cloud-platformgoogle-cloud-sqlgoogle-cloud-buildgoogle-cloud-run
Is your command work if you run it manually?guillaume blaquiere
@guillaumeblaquiere i'm not sure about locally but using cloud run console page to deploy, it workshackinteachk
@guillaumeblaquiere updated: I can deploy it locally and manually from cloud run console toohackinteachk
@JohnHanley 1) what cloud sql permission should I grant ? (I tried Cloud SQL Admin and it still doesn't work) 2) Just to make sure, the default cloud run SA has only Cloud Run Service Agent role right ?hackinteachk
1) You need the permission cloudsql.instances.connect and cloudsql.instances.get which are in the role roles/cloudsql.client (Cloud SQL Client). 2) I don't remember what the Cloud Run Service Agent roles are set to by default. 3) You do not state what you are doing with Cloud SQL, so you may need more permissions. Start with roles/cloudsql.editor and then adjust down once you have everything working. Review the documentation so that you understand Cloud SQL permissions: cloud.google.com/sql/docs/mysql/project-access-controlJohn Hanley

2 Answers

5
votes

Make sure you've also given the Cloud Build Service Account the iam.serviceAccountUser role, allowing it to impersonate the Cloud Run runtime service account during the build.

gcloud iam service-accounts add-iam-policy-binding
  [email protected]
  --member="serviceAccount:[email protected]"
  --role="roles/iam.serviceAccountUser"

See Cloud Run deployment permissions for more info.

0
votes

I am using a service account to deploy a cloud run function with sql connections. I found that the service account needs the following permissions:

  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list