What scopes / roles are required for a service account to be able to submit container builder jobs?

Question

When creating a new service account to handle Container Builder jobs, the jobs fail with the following error despite the service account having Cloud Container Builder , Logs Viewer and Private Logs viewer:

ERROR: (gcloud.container.builds.submit) HTTPError 403:
<?xml version='1.0' encoding='UTF-8'?>
<Error>
  <Code>AccessDenied</Code>
  <Message>Access denied.</Message>
  <Details>v2-container-builder@redacted.iam.gserviceaccount.com does not have storage.objects.get access to object redacted.cloudbuild-logs.googleusercontent.com/log-20117c17-f2b4-4159-9883-104ddd7bb232.txt.
  </Details>
</Error>

I understand the error points to storage.objects.get permissions over a file on cloud storage, but this is not a bucket we can set acl for is it ?

score 7 · Answer 1 · answered Sep 18 '17 at 12:35

7

Here is the quote from David Bendory (Tech Lead for the Google Cloud Container Builder) from this thread:

GCS permissions predate IAM and thus work a little differently. To view the logs, the Service Account in question needs to be a Viewer on the project in addition to have the Builder Editor role.

answered Sep 18 '17 at 12:35

wheleph

7,974
7
40
57

1

Also make sure that you own the role "Viewer" on the project level and not the role "Role Viewer". – Tobias Ernst Apr 29 '19 at 22:50
1

Thank you @TobiasErnst, the last puzzle piece for me :) – jwanglof Jan 11 '20 at 15:07

What scopes / roles are required for a service account to be able to submit container builder jobs?

1 Answers1

Linked