Cloud Build service account no access to storage.objects.get

2
votes

I am trying to get a Google Cloud Functions to print something from a file in a storage bucket. I have the file stored in a bucket, an authenticated service account with Storage Admin, Cloud Run Admin, Service Account User and Cloud Functions Admin and the following python script.

def from_storage(event, context):
    import json
    from google.cloud import storage

    client = storage.Client(project='my-project')
    try:
        bucket = client.get_bucket('my-storage')
    except Exception as e:
        print('Bucket not found.')
        print(e)
    try:
        blob = bucket.blob('Hello_World.json')
        data = json.load(blob.download_as_string())
        return data
    except Exception as e:
        print('Error loading file:')
        print(e)

I try to deploy this with the following code:

gcloud functions deploy from_storage --runtime python39 --triger-http --allow-unauthenticated

To which I get an error that the deploying service account (which seems to be an automatically created service account), does not have storage.objects.get permissions:

ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed: could not resolve storage source: googleapi: Error 403: [email protected] does not have storage.objects.get access to the Google Cloud Storage object., forbidden

I find this rather strange, as I do not see this service account in my IAM, nor can I access its permissions in Cloud Functions. Any help would be greatly appreciated!

3
pythongoogle-cloud-platformgoogle-cloud-functionsgoogle-iam
If after re-enabling the Cloud Build API you still don’t see its service account, please add it manually through the “IAM & Admin” -> “IAM” page granting it the Cloud Build Service Account role. - Mahboob
Re-enabling did the job. I had the Cloud Build API enabled before already, any idea why the corresponding service account didn't appear? - Niels Uitterdijk
i got this error too. 20 Apr 2021 - cryanbhu

3 Answers

3
votes

I would guess that the [email protected] - is a Cloud Build service account, where the prefix (number) is the number of the project, where that Cloud Build is running. Can you check that the Cloud Build API is enabled, please? and the Cloud Build service account has relevant permissions, please?

During the runtime, by default, the cloud function is running under [email protected] service account, where the PROJECT_ID is the ID of the project, where that cloud function is deployed (and should run). This is an App Engine default service account.

It is possible (and recommended) to create a dedicated service accounts according to the principle of least privilege. In that case you might deploy the cloud function with correspondent arguments (not in your example).

From the best of my understanding of your particular example, the default App Engine service account is going to be used.

In either case, the cloud function runtime service account should have relevant privileges (IAM permissions/roles) to work with APIs and resources (in any projects).

Can you check that the cloud function runtime service account has a relevant permissions for accessing the cloud storage bucket, please? Bear in mind that the cloud function might be deployed into one project, and the bucket might be in another project.

In your post you mentioned that you have a "an authenticated service account with" some permissions. What is that service account for, if you deploy your service account with the default App Engine Account? Probably I missed something. "In order to deploy a function with a non-default service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed." - from Permissions required to use non-default identities If that is your case - can you check it as well, please?

2
votes

If you couldn't see “[email protected]” listed among other service accounts. Therefore, I believe that something went wrong when activating the Cloud Build API. Could you please disable the Cloud Build API and then enable it again to see if it resolves the issue?

If after re-enabling the Cloud Build API you still don’t see its service account, please add it manually through the “IAM & Admin” -> “IAM” page granting it the Cloud Build Service Account role.

0
votes

Refer to:
Configure Access for Cloud Build Service Account and this link which explains the permissions the automatically created Cloud Build Service Account starts with (granted upon automatic creation).

From my experience and what I guess is going on behind the scenes, I got this error, and you might have too, because you are using the Cloud Build service for the first time. So I got the error on the first run of my script, but on subsequent runs the error is gone. This means it takes time for the permissions granting to take place on the servers.