-2

I have a Github Action to submit my source-code to Google Cloud Build. The submission does work. The Cloud Build job is being triggered.

However the Github Action exits with an error. This is the error message:

ERROR: (gcloud.builds.submit) HTTPError 403: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>*** does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>

I am using a custom service account. These are the roles I've assigned to it. I have no idea why the error is still thrown.

Cloud Build Service Account
Cloud Build Viewer
Environment User and Storage Object Viewer
Cloud Storage for Firebase Viewer
Storage Object Viewer

I read in another question that this issue has been solved by provided the role Viewer but a role just called Viewer does not exist - at least not in my role listing.

A little side question:

Is there a way to check what role is needed for a given cloud action? For example seeing this in my logs storage.objects.get I'd like to see what roles do provide access to this.

xetra11
  • 7,671
  • 14
  • 84
  • 159
  • `roles/viewer` is explained in [this documentation](https://cloud.google.com/iam/docs/understanding-roles#basic-definitions). – Jofre Jul 08 '21 at 13:17
  • Also you can see the role in the console [here](https://console.cloud.google.com/iam-admin/roles/details/roles – Jofre Jul 08 '21 at 13:20
  • @Jofre that was actually the solution! I do no understand what is happening. Why does it work with "Viewer" but not with "Storage Object Viewer" or even "Storage Admin" ? I can't grasp the concept behind that – xetra11 Jul 08 '21 at 13:27
  • I'm adding an answer with some info on that. – Jofre Jul 08 '21 at 14:30

3 Answers3

2

On the IAM roles within GCP, ensure you have storage.objects.get added via roles/storage.objectViewer to the correct user/account. You can find all IAM roles listed here: https://cloud.google.com/storage/docs/access-control/iam-roles

If all the roles check out, it's most likely an authentication issue with the service account and is simply authenticating with the old or incorrect credentials.

DIGI Byte
  • 4,225
  • 1
  • 12
  • 20
  • What do you mean by incorrect credentials? I am using the service account via Github Actions and using the service account key. I was not changing the key - and as I said the submission to cloud run works fine. How is it possible that just one thing can work here? As you can see above I have set the "Storage Object Viewer" role. This should be sufficient right? – xetra11 Jul 08 '21 at 10:20
1

For you side question, you can use IAM Policy troubleshooter directly from the console. Set your principal (email), the resource and the permission. You will immediately know if it's OK or not.

However, as said by DIGI, I know you don't use the correct credential.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
1

The other question mentioned by the OP was referencing the role roles/viewer, which is viewer in all resources for a project, rather than a more specific viewer role like roles/storage.objectViewer.

Note that the amount of permissions in each role is very different, and there might be a permission in the roles/viewer role that is not available in roles/storage.objectViewer, but it's needed for the build to work.

I'm guessing at some point the account tries to execute a buckets.get, and since roles/storage.objectViewer role does not have the explicit storage.buckets.get permission, it gives an access error. That permission is granted with the roles/viewer project role 1.

In any way, the roles/viewer role can be found through the console here, or through the SDK with a command like this one:

gcloud iam service-accounts add-iam-policy-binding <YOUR_SERVICE_ACCOUNT>@<YOUR_PROJECT>.iam.gserviceaccount.com --member='<YOUR_SERVICE_ACCOUNT>@<YOUR_PROJECT>.iam.gserviceaccount.com' --role='roles/viewer'

1 I'm just guessing, but the missing permission could be any other of the hundreds available to roles/viewer and missing from the other roles.

Jofre
  • 3,718
  • 1
  • 23
  • 31