Permission Denied Error while deploying Gen2 Cloud Function - google-cloud-platform

We have developed a cloud function based on given requirements and did initial verification with 1st Gen and it went fine. But there were few modifications required which required additional processing time. Hence we had to switch to --gen2
Below is gcloud function deploy command.
gcloud functions deploy gen2-function \
--entry-point gen2 --runtime python37 --trigger-http --allow-unauthenticated \
--service-account=<> --region=<> --project=<> --timeout=3600s --gen2
This command deploys the function and internally cloud run service successfully, but it fails in the end with below error
[INFO] A new revision will be deployed serving with 100% traffic.
ERROR: (gcloud.functions.deploy) PERMISSION_DENIED: Permission 'run.services.setIamPolicy' denied on resource 'projects/<project>/locations/<region>/services/gen2-function' (or resource may not exist).
When we checked on cloud run, service name "gen2-function" does exist.
Can someone guide on this?

The account deploying the function is missing the permission run.services.setIamPolicy. That permission is required to specify the command argument --allow-unauthenticated.
That permission is in the role roles/run.admin.
Refer to this documentation on how to add a role to the account:
Grant a single role using the GUI
Grant or revoke multiple roles

Related

Google cloud credentials for deploying cloud run service in CI pipeline

I am attempting to deploy a Cloud Run service from source from a GitLab CI pipeline. I can deploy it manually, with my own credentials, but am struggling to give the right credentials to the CI pipeline to get it to deploy.
These are the commands in my pipeline:
gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
gcloud run deploy api --source=./api/ --region=us-cental1
CLOUD_RUN_CREDENTIALS is a pipeline file variable that contains the key for a service account I have created for this purpose. The service account has the following roles:
Cloud Build Editor role
Artifact Registry Admin role
Storage Admin role
Cloud Run Admin role
Service Account User role
In the Cloud Build settings I have enabled Cloud Run Admin and Service Account User.
When I run this GitLab job, I get the following error:
$ gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
Activated service account credentials for: [XXXXXXXXXXX#XXXXXXXXXX.iam.gserviceaccount.com]
$ gcloud run deploy api --source=./api/ --region=us-cental1
ERROR: Error in retrieving repository from Artifact Registry.
ERROR: (gcloud.run.deploy) INVALID_ARGUMENT: Request contains an invalid argument.
Is this a permissions issue? What permissions do I need to give this service account to allow the deployment to succeed? If not, what am I doing wrong?
If you use the Build from Source feature. The Cloud Build Service Account is the one used to perform certain actions, like pulling and pushing images from Artifact Registry.
You have to grant the Cloud Build Service account (the one called PROJECT_NUMBER#cloudbuild.gserviceaccount.com) the required permissions.
Go to IAM, look for the Cloud Build Service Account and grant it the permissions you listed above. That should solve the issue.
The Service Account used from GitLab doesn't need all these permissions. Cloud Run Admin should be enough

How to add GCP role to the grantable list?

I am trying to get a service account set up in GCP so I can use
docker pull
from my personal shell as well as from Google Cloud Shell, where it works automagically.
I tried this:
gcloud projects add-iam-policy-binding myProject --member=serviceAccount:dockerdude --role=roles/container.admin
But I got this not-very-helpful error:
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (dockerdude).
I found the problem: this role isn't grantable ... I used the command
gcloud iam list-grantable-roles
//cloudresourcemanager.googleapis.com/projects/myProject
... and indeed the role container.admin isn't in the list.
My question: how do I make this role grantable? Or is there some other way to get what I'm looking for (docker pull permission from user shells as well as from Google Cloud Shell)?
Thanks much for any insight into this problem whatsoever!
You can use this reference to write your command interactively, Granting a Single Role:
Note: If you want to identify a service account just after it is created, use the numeric ID rather than the email address to ensure that it is reliably identified.
gcloud iam service-accounts add-iam-policy-binding ServiceAccount_ID \
--member=PRINCIPAL --role=ROLE_ID \
--condition=CONDITION
Some missing parameters, but should be…
gcloud iam service-accounts add-iam-policy-binding my-service-account#my-project.iam.gserviceaccount.com \
--member=serviceAccount:duckerdude#example.com --role=/roles/container.clusterAdmin
Also check this very good explanation of the service accounts as they can be described as an identity and a resource, check the full question to get more details:
You have to read the command like this
gcloud <resourceType> add-iam-policy-binding <resourceName> --member=<accountToGrantOnTheResource> --role=<roleToGrantOnTheResource>
Additionally, read this question related to list-grantable-roles command:
They can also be listed:
gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID

What IAM permissions do I need for a service key that can run "gcloud builds submit" and "gcloud run deploy"?

I'm trying to figure out the absolute minimum set of IAM permissions I need to assign to a service key that will be used to run the following commands:
gcloud builds submit --tag gcr.io/MYPROJECT/MYNAME
gcloud run deploy --allow-unauthenticated --platform=managed --image gcr.io/MYPROJECT/MYNAME ...
I've had a lot of trouble figuring out IAM, so the more detailed instructions anyone can give me the better!
Here's what I've figured out so far (I ended up going with way more open permissions than I wanted): https://simonwillison.net/2020/Jan/21/github-actions-cloud-run/#google-cloud-service-key
I'm actually running these commands inside a Python script - relevant code is here: https://github.com/simonw/datasette/blob/07e208cc6d9e901b87552c1be2854c220b3f9b6d/datasette/publish/cloudrun.py#L134-L141
I understand you are running these commands with a service account, and your goal is to determine the minimal set of IAM permissions to assign to this service account so that it can build and deploy. I am going to list a set of minimal IAM roles (not IAM permissions)
To run gcloud builds submit --tag gcr.io/MYPROJECT/MYNAME, you need:
roles/cloudbuild.builds.editor to trigger the build
roles/storage.admin to push te image
To run gcloud run deploy --allow-unauthenticated --platform=managed --image gcr.io/MYPROJECT/MYNAME ... you need:
roles/run.admin (to deploy and allow allUsers to access the service)
roles/iam.serviceAccountUser (because the code will then run under a servie account, so the service account used to deploy needs to also be able to "act as" the runtime service account)

Permission error when trying to deploy to Google Cloud Run

I'm getting a permission error when trying to deploy an image to cloud run:
gcloud beta run deploy endpoints_proxy \
--image="gcr.io/endpoints-release/endpoints-runtime-serverless:1.30.0" \
--allow-unauthenticated
This is the error:
ERROR: (gcloud.beta.run.deploy) User [email-goes-here] does not have permission to access namespace [project-id-goes-here] (or it may not exist): Cloud Run does not have permission to get access tokens for the default compute service account, 1088973916567-compute#developer.gserviceaccount.com. Please give Google Cloud Run Service Agent the permission iam.serviceAccounts.getAccessToken on the default compute service account.
My account has owner and editor permissions, I even tried attaching the Cloud Run Service Agent role.
I also tried adding these roles to the "default compute service account" listed in the error, didn't work.
The error message is very misleading, the error occurs because the Cloud Run Service Agent was missing.
After creating the following service account:
Name: service-<account-id>#serverless-robot-prod.iam.gserviceaccount.com
Role: Google Cloud Run Service Agent
The problem got solved. Looks like Cloud Run needs this service account to work, so don't ever delete it :)
You should enable permissions to the Cloud Build service account.
It won't work unless you do so.
Google Cloud Console > Cloud Build > Cloud Build Settings > enable access to the GCP services that you are using.
(see the images attached)
Cloud Build Panel
Cloud Build Panel - enable services that you want
Also, just make sure billing hasn't expired. When mine did, I got these opaque errors (such as this one) that didn't reference to billing in any way.
If the service-<project-id>#serverless-robot-prod.iam.gserviceaccount.com is not present in GCP console, just run this command:
gcloud projects add-iam-policy-binding --member=serviceAccount:service-<project-id>#serverless-robot-prod.iam.gserviceaccount.com --role=roles/run.serviceAgent <project-id>

Missing Cloud Function User Agent role in Google Cloud IAM

I'm working on a series of Cloud Functions in one Google Cloud project and, for some reason, I suddenly get this error:
Deployment failure:
Missing necessary permission resourcemanager.projects.getIamPolicy for service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com on resource projects/la-cloud-functions. Please grant service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com the Cloud Functions Service Agent role. You can do that by running 'gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=Cloud Functions Service Agent'
Besides the badly formatted error response (you can't have --role=Cloud Functions Service Agent - it should be --role=roles/cloudfunctions.serviceAgent), when I try to run the amended command:
gcloud iam service-accounts add-iam-policy-binding projects/la-cloud-functions --member=service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com --role=roles/cloudfunctions.serviceAgent
I get this error:
The requested URL <code>/v1/projects/la-cloud-functions/serviceAccounts/projects/la-cloud-functions:getIamPolicy?alt=json</code> was not found on this server.
Finally, trying to assign the Cloud Functions Server Agent role through the console gave me another surprise - the role is missing from the list, where it should be under Service Management:
I have tried to reset the service account by re-enabling the Cloud Functions API with this command:
gcloud services enable cloudfunctions.googleapis.com
But again, no success.
Anyone have any ideas on how to fix this problem and make the Cloud Functions Service Agent role available again?
TIA - Joe
Try the following steps to solve this:
Disable Cloud Functions API:
gcloud services disable cloudfunctions.googleapis.com --project la-cloud-functions
Wait about a minute for the disable to complete.
Delete the cloud functions member account using the CLI or using the GCP Console under IAM.
gcloud projects remove-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"
Wait about a minute. Then verify that this member has been removed in the GCP Console under IAM.
Enable Cloud Functions API:
gcloud services enable cloudfunctions.googleapis.com --project la-cloud-functions
Go back to the GCP Console. You should find a new Google Cloud Functions Service Agent member.
Note:
You are using the wrong command to add cloudfunctions.serviceAgent. Here is the correct command:
gcloud projects add-iam-policy-binding la-cloud-functions --member="serviceAccount:service-1092904037961#gcf-admin-robot.iam.gserviceaccount.com" --role="roles/cloudfunctions.serviceAgent"