0

I am trying to deploy a simple cloud function (gen1) in my project. I have owner permission for the project.

however, while deploying I am getting following error.

"build": ERROR: failed to initialize analyzer: validating registry write access: ensure registry read/write access to us.gcr.io/project_xxx/gcf/northamerica-northeast1/3c5aeef8-dfbd-43de-9873-16a1b68e54ed/cache:4f2ca2a4-acef-42e1-94e2-3123fcd93c70"

I also provided Artifact Registry Administrator role to the service account tied to cloud function. however, I am still getting above error.

Update 1:

I gave Artifact Registry Administrator permission for cloudbuild.gserviceaccount.com service account as well. However, same error.

enter image description here

Update 2

Just to isolate the problem, I gave owner permission to both the service accounts. cloud function and cloud build service account and I am still getting this issue.

I checked the path as well for artifactory and it's empty. us.gcr.io/project-xxx/gcf/northamerica-northeast1/f4d0d3b2-6ed4-4e04-aab1-708b19e26d9c/cache:39767ec4-9f7d-4992-82c8-ae8d9658b909

I also, deleted the entire function and created new one with same service account and still getting issue.

Update 3: I checked the cloudbuild settings and seems like it has all the access required. enter image description here

Gaurang Shah
  • 11,764
  • 9
  • 74
  • 137
  • Can you try to add the Artifact Registry Administrator role to the Cloud Build service agent? In addition, is it a new project? what the activated services? Do you use Cloud Functions gen1 or gen2? – guillaume blaquiere Apr 13 '23 at 14:51
  • it's a new project and gen1 cloud func. what should I look under activated services. – Gaurang Shah Apr 13 '23 at 14:52
  • Do you have activated all these API? Cloud Functions, Cloud Build, Artifact Registry, Cloud Storage, Logging. – guillaume blaquiere Apr 13 '23 at 14:58
  • @guillaumeblaquiere yes all the API's are enabled. – Gaurang Shah Apr 13 '23 at 15:03
  • This answer suggests that the issue lies with the images in the container registry and deleteing them and redeploying might help: https://stackoverflow.com/a/67373593/151759 An entry in the google cloud community suggests cloud debugger permission, but I do not see any connection to your problem. But maybe it is worth a try. – Bertolt Apr 13 '23 at 16:16
  • @Bertolt i gave owner permission to both the service account and deleted everything from storage bucket, registry was empty already and created new function and still the same error. – Gaurang Shah Apr 13 '23 at 17:29
  • @GaurangShah, have you also tried [granting a role to the Cloud Build service account using the Settings page](https://cloud.google.com/build/docs/securing-builds/configure-access-for-cloud-build-service-account#service-account-permissions-settings)? – Robert G Apr 13 '23 at 21:26

1 Answers1

1

You are setting Artifact Registry permissions, but by default, gcr.io urls are handled by Container Registry. If you want to use gcr.io urls with Artifact Registry, you can run (needs roles/storage.admin):

gcloud beta artifacts settings enable-upgrade-redirection --project=PROJECT_ID

(See https://cloud.google.com/artifact-registry/docs/transition/setup-gcr-repo for more detailed info)

If you want to use Container Registry (not recommended), you should use these permissions: https://cloud.google.com/container-registry/docs/access-control

James
  • 451
  • 2
  • 5