Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect IAM permissions in the starter workflow #423

Open
ianyoung opened this issue Jan 2, 2023 · 5 comments
Open

Incorrect IAM permissions in the starter workflow #423

ianyoung opened this issue Jan 2, 2023 · 5 comments
Assignees
@verbanicm
Labels
bug Something isn't working

Comments

@ianyoung
Copy link

ianyoung commented Jan 2, 2023
edited

TL;DR

Deployment fails when deploying to Cloud Run from source with using the default template.

Expected behavior

Successful deploy

Observed behavior

Failure to deploy with the following error message:

Error: google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy MY-SERVICE --quiet --platform managed --region europe-west6 --source ./src/ --project *** --format json`: This command is equivalent to running `gcloud builds submit --tag [IMAGE] ./src` and `gcloud run deploy MY-SERVICE --image [IMAGE]`

The name of my service has been replaced with MY-SERVICE

Action YAML

name: Deploy to Cloud Run from Source

on:
  push:
    branches: [ "main" ]

env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} # Google Cloud project id
  SERVICE: MY-SERVICE
  REGION: europe-west6

jobs:
  deploy:
    # Add 'id-token' with the intended permissions for workload identity federation
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v0'
        with:
          workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
          service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]

      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: ${{ env.SERVICE }}
          region: ${{ env.REGION }}
          # NOTE: If required, update to the appropriate source folder
          source: ./src/

      # If required, use the Cloud Run url output in later steps
      - name: Show Output
        run: echo ${{ steps.deploy.outputs.url }}

Log output

No response

Additional information

Steps followed:

  1. Go to GitHub Actions tab in my repo
  2. Create new workflow
  3. Select "configure" on "Build and deploy from source" (screenshot)
  4. Update env vars

I'm looking to use my own Dockerfile in ./src/. I've updated the source parameter accordingly: source: ./src/.
I've also tried removing the trailing slash. This results in the same error.

I've used a different service name to ensure it's unique and the error is the same.
@ianyoung ianyoung added the bug Something isn't working label Jan 2, 2023
@sethvargo
Copy link
Member

Hi there - could you please provide the debug output for the complete GitHub Actions workflow run?

@ianyoung
Copy link
Author

ianyoung commented Jan 2, 2023

Good call. I've enabled the debug output and downloaded the logs. Available here.

It looks like this is the specific error:

Deployment failed
ERROR: (gcloud.run.deploy) The user is forbidden from accessing the bucket [***_cloudbuild]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission. Giving the user Owner, Editor, or Viewer roles may also fix this issue. Alternatively, use the --no-source option and access your source code via a different method.

Although I've followed the instructions in the template and both enabled and set permissions for Cloud Run, Cloud Build, Cloud Storage and Artifact Registry.

I've followed that error message and added the roles/serviceusage.serviceUsageAdmin as well. Here are the roles currently assigned to my service account:

ROLE
roles/artifactregistry.admin
roles/cloudbuild.builds.editor
roles/cloudfunctions.developer
roles/iam.serviceAccountUser
roles/run.admin
roles/secretmanager.secretAccessor
roles/serviceusage.serviceUsageAdmin
roles/storage.objectAdmin

The error remains after just trying a re-run.

@ianyoung
Copy link
Author

ianyoung commented Jan 2, 2023

I've figured out the problem. Once again it's misleading info in the workflow template. The template comments mention the following permissions:

3. Ensure the required IAM permissions are granted
#
#    Cloud Run
#      roles/run.admin
#      roles/iam.serviceAccountUser     (to act as the Cloud Run runtime service account)
#
#    Cloud Build
#      roles/cloudbuild.builds.editor
#
#    Cloud Storage
#      roles/storage.objectAdmin
#
#    Artifact Registry
#      roles/artifactregistry.admin     (project or repository level)

However roles/storage.objectAdmin is incorrect. You actually need roles/storage.admin, as per the docs.

I've tested and can confirm it's working with the Storage Admin role.

@sethvargo
Copy link
Member

@verbanicm

@sethvargo
Copy link
Member

@verbanicm can you take a look at updating the starter workflows? This came up again in a usability study.

@sethvargo sethvargo changed the title Failed to execute gcloud command Incorrect IAM permissions in the starter workflow Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@verbanicm verbanicm

Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianyoung @sethvargo @verbanicm