Error 403: project-number@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden

Question

When I deploy my code to Google Cloud Functions, I'm getting some errors. Here is the terminal:

Deploying function (may take a while - up to 2 minutes)...failed. ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed: could not resolve source: googleapi: Error 403: project-number@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden com.google.net.rpc3.client.RpcClientException: APPLICATION_ERROR;google.devtools.cloudbuild.v1/ArgoAdminNoCloudAudit.CreateBuild;could not resolve source: googleapi: Error 403: project-number@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden;AppErrorCode=3;StartTimeMs=1662193492422;unknown;ResFormat=AUTOMATIC;ServerTimeSec=0.134693421;LogBytes=256;Non-FailFast;EndUserCredsRequested;EffSecLevel=none;ReqFormat=AUTOMATIC;ReqID=d01f765418c35b2b;GlobalID=0;Server=[2002:a05:6610:e5b:b0:301:a983:723e]:4001

Some code snippets:

const task = {
  httpRequest: {
    httpMethod: "POST",
    url: "https://location-project.cloudfunctions.net/function-name",
  },
};
task.scheduleTime = {
  seconds: 60 + Date.now() / 1000,
};
const payload = {
  data: data,
};
if (payload) {
  task.httpRequest.body = Buffer.from(JSON.stringify(payload)).toString(
    "base64"
  );
  task.httpRequest.headers = {
    "Content-Type": "application/json",
  };
  task.httpRequest.oidcToken = {
    serviceAccountEmail:
      "tutorial-gcf@project.iam.gserviceaccount.com",
  };
}
const parent = client.queuePath(
  "project",
  "location",
  "queue"
);
const request = { parent: parent, task: task };
const [response] = await client.createTask(request);
console.log(`Created task ${response.name}`);

The roles of tutorial-gcf@project.iam.gserviceaccount.com:

Cloud Functions Invoker
Cloud Tasks Service Agent
Storage Object Viewer

How can I fix this error? Appreciate if someone can advise. Thank you in advance!

@guillaumeblaquiere, the permissions of the Cloud Build service account are cloudfunctions.functions.invoke, cloudtasks.serviceAgent, resourcemanager.projects.get, resourcemanager.projects.list, storage.objects.get, storage.objects.list. — My Car, Sep 03 '22 at 12:07
Can you grant [`storage.objectViewer`](https://cloud.google.com/storage/docs/access-control/iam-roles#:~:text=roles/storage.objectViewer) role to Cloud build service account and try? — Roopa M, Sep 04 '22 at 09:00
Also can you check that the cloud function runtime service account has a relevant permissions for accessing the cloud storage bucket? Cloud Functions uses a [default service account](https://cloud.google.com/functions/docs/securing/function-identity#runtime_service_account) as its identity for function execution. In order to use custom service account refer this [document](https://cloud.google.com/functions/docs/securing/function-identity#adding_a_user-managed_service_account_at_deployment) — Roopa M, Sep 04 '22 at 09:03
I granted the storage.objectViewer role to the Cloud Build service account, but still getting the error. — My Car, Sep 04 '22 at 09:08
Have you checked this [solution](https://stackoverflow.com/a/68303613/18265570) ? — Roopa M, Sep 04 '22 at 09:28
Can you check whether you are giving these roles to **tutorial-gcf@project.iam.gserviceaccount.com** or **project-number@cloudbuild.gserviceaccount.com.** When using Cloud Build, GCP uses an entirely separate service account for this. Add the `Cloud Build Service Account role` and the `Storage Admin role` to this cloud build service account in the IAM page. — Srividya, Sep 05 '22 at 13:35
Please refer to this [doc](https://cloud.google.com/storage/docs/troubleshooting#access-permission) — Srividya, Sep 07 '22 at 05:54

Error 403: project-number@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden

0 Answers0