0

I am trying to run pipeline from bitbucket to GCP. This is my pipeline configuration:

image: node:10.15.3

pipelines:
  default:
    - parallel:
        - step:
            name: Build and Test
            caches:
              - node
            script:
              - npm install
        - step:
            name: Deploy
            deployment: staging
            script:
            - curl -o /tmp/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-347.0.0-linux-x86_64.tar.gz
            - tar -xvf /tmp/google-cloud-sdk.tar.gz -C /tmp/
            - /tmp/google-cloud-sdk/install.sh -q
            - source /tmp/google-cloud-sdk/path.bash.inc
            - gcloud -v
            - echo "${KEY_FILE}" | base64 --decode --ignore-garbage > ./gcloud-api-key.json
            - gcloud auth activate-service-account --key-file gcloud-api-key.json
            - echo "$(gcloud auth list)"
            - gcloud config unset project
            - gcloud config set project $PROJECT_ID
            - echo "GCLOUD" "$(gcloud iam service-accounts list)"
            - echo "$(gcloud projects list)"
            #- gcloud auth login
            - gcloud app deploy  # getting error here

On GCP dashboard I selected my project from top dropdown and created service account. My service account holds these permissions: enter image description here

I have downloaded the service account json and added an enironment variable KEY_FILE to bitbucket after encoding it with base64 (executed base64 <service-account>.json and pasted the output to the variable). PROJECT_ID variable contains the project-id from GCP.

Adding output for the pipeline commands:

gcloud auth activate-service-account --key-file gcloud-api-key.json

Activated service account credentials for: [service-account-name@project-id.iam.gserviceaccount.com]

echo "$(gcloud auth list)"

To set the active account, run: $ gcloud config set account ACCOUNT

ACTIVE ACCOUNT

  •    service-account-name@project-id.iam.gserviceaccount.com

gcloud config unset project

Unset property [core/project].

gcloud config set project $PROJECT_ID

Updated property [core/project]. WARNING: You do not appear to have access to project [PROJECT_ID] or it does not exist.

echo "$(gcloud projects list)"

Listed 0 items.

gcloud app deploy

ERROR: (gcloud.app.deploy) Permissions error fetching application

After hours of research, I am not able to resolve the issue. Any input will be helpful.

Nalin Dobhal
  • 2,292
  • 2
  • 10
  • 20
  • Are you 100% you are using the [project ID and not the project name](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects)? – dany L Jul 07 '21 at 15:53
  • @danyL yeah, project name is Bitbucket-Test and id is so I am pretty sure this is not an issue. already checked that thread. I tried to set `gcloud config set project $PROJECT_ID` with project name and got an error saying not a valid project id, so I think thats not the case here. – Nalin Dobhal Jul 07 '21 at 16:35

2 Answers2

1

You should be able to run the script from any machine and this will help in debugging; run it locally (perhaps within a 'clean' container) to uncover errors.

The output you include references service-account-name@project-id.iam.gserviceaccount.com, iam.gserviceaccount.com suggests a user-created service account.

However, the account that you reference in the screenshot is the App Engine default service account appspot.gserviceaccount.com.

It's possible that you've created a service account and a key for it but not assigned it any permissions. This would explain the errors.

Service Accounts are owned by specific projects, you can list the Service Accounts in a specific project using:

PROJECT=[[YOUR-PROJECT-ID]]

gcloud iam service-accounts list \
--project=${PROJECT}

You can list the permissions for a project using:

gcloud projects get-iam-policy ${PROJECT}

NOTE Service Accounts must be role'd on every project or project resources on which the account needs permissions.

NOTE To list projects, an account requires the IAM permission resourcemanager.projects.list. This must be enabled on an organization or folder link

DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • good input, let me check and get back with my research. – Nalin Dobhal Jul 07 '21 at 16:37
  • This was really helpful, but I have a query. I am using default service account now and when I run this command: `gcloud config set project $PROJECT_ID`, I get `WARNING: You do not appear to have access to project or it does not exist.`. What permissions are needed to run a CI/CD pipeline? – Nalin Dobhal Jul 09 '21 at 08:28
  • Service Accounts are confusing. They're unlike regular (user|human) accounts in a couple of ways. One way is that they're owned by a specific project. To be used in other projects, you will need to add the Service Account (using its email address) either to specific projects, to specific projects' resources or to an organization|folder in order to be able to access those resources. This is probably what's happened here. Your default service account is in project X and you're trying to access project Y with it. – DazWilkin Jul 09 '21 at 15:30
  • thanks for your help, it wouldn't have been possible to resolve this issue w/o your valuable input. Though I ran into another issues while deploying but this was the breakthrough that we needed :) – Nalin Dobhal Jul 17 '21 at 08:20
0

As @DazWilkin said, the issue occurs when trying to activate a project (gcloud config set project $PROJECT_ID) when the service account is active, as the service account only has permissions for the projects in which it has been added. You can check this with the command gcloud projects list just after activating the service account (this is, right after gcloud auth activate-service-account --key-file gcloud-api-key.json), which shows a list with all the projects accessible by the active account. If you want to use a service account from other projects, you will have to add it to each of those projects (check this post).

JMA
  • 803
  • 4
  • 9