I am trying to build a docker image from the Pub/Sub tutorial on Google (link here). I am running this command: gcloud builds submit --tag gcr.io/project_id/pubsub but for some reason I get the error mentioned in the title: ERROR: (gcloud.builds.submit) INVALID_ARGUMENT: could not resolve source: googleapi: Error 403: <SERVICE ACCOUNT> does not have storage.objects.get access to the Google Cloud Storage object., forbidden. I gave the service account the roles/storage.admin role and that didn't work. I even went as far as made the service account an owner and I still got the same error.
Asked
Active
Viewed 2,101 times
5
Super Kai - Kazuya Ito
- 22,221
- 10
- 124
- 129
Adriano Matos
- 325
- 3
- 13
1 Answers
6
I figured it out. When using Cloud Build, GCP uses an entirely separate service account for this. It looks something like: <random-id>@cloudbuild.gserviceaccount.com. Add the Cloud Build Service Account role and the Storage Admin role to this service account fixed the problem.
Adriano Matos
- 325
- 3
- 13
-
3The ID isn't random, it's the project number that the service account belongs to. – rmrf Nov 18 '21 at 17:46
-
I tried your way but still got the error. – My Car Sep 03 '22 at 02:54