Moved from a Project Owner account to a custom service account for deployments – you’d think in the year 2025 this would be simple, but as it turns out there’s roles required outside of just Cloud Build & Cloud Run to actually make this work.
Here’s a run-down of the errors and roles
Error #1: Missing ‘Storage Admin’ Role
After authenticating as the service account, I ran gcloud builds submit and got this:
ERROR: (gcloud.builds.submit) The user is forbidden from accessing the bucket [myproject-123456_cloudbuild]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission. Giving the user Owner, Editor, or Viewer roles may also fix this issue. Alternatively, use the --no-source option and access your source code via a different method.
make: *** [cloud-build] Error 1Didn’t make much sense as the account already had “Service Usage Consumer” and “Storage Object Admin” roles. ‘Editor’ did fix it, so did some searching and found a couple StackOverflow posts:
Adding the “Storage Admin” (not to be confused with “Storage Object Admin”) did fix it.
Error #2: Missing ‘Viewer’ Role
After fixing above, I get this new error:
ERROR: (gcloud.builds.submit)
The build is running, and logs are being written to the default logs bucket.
This tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.
The default logs bucket is always outside any VPC-SC security perimeter.
If you want your logs saved inside your VPC-SC perimeter, use your own bucket.
See https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.
Found this post which states it can be fixed by adding the Viewer role, and that did work.
Error #3: Missing ‘Cloud Build Service Account’ Role
Creating temporary archive of 34 file(s) totalling 73.6 KiB before compression.
Uploading tarball of [.] to [gs://myproject-123456_cloudbuild/source/xxxxx.tgz]
ERROR: (gcloud.builds.submit) PERMISSION_DENIED: The caller does not have permission. This command is authenticated as network-deployer@myproject-123456.iam.gserviceaccount.com which is the active account specified by the [core/account] property
make: *** [cloud-build] Error 1Had to figure out this one on my own, and added “Cloud Build Service Account” and that did the trick
Error #4: Missing ‘Service Account User’ Role
Moving on to Cloud Run finally, I had already added “Cloud Run Builder” and “Cloud Run Developer”. Yet, I get this error:
X Deploying...
. Creating Revision...
. Routing traffic...
. Setting IAM Policy...
Deployment failed
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account 123456789-compute@developer.gserviceaccount.com (or it may not exist). This command is authenticated as network-deployer@myproject-123456.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
make: *** [cloud-run] Error 1This one was at least more straightforward. The “Service Account User” role was required to do the deployment as the default service account.
In Summary, these were the roles I added to allow in order to use Cloud Build / Cloud Run:
- Cloud Build Logging Service Agent
- Cloud Build Service Account
- Cloud Run Builder
- Cloud Run Developer
- Service Account User
- Service Usage Consumer
- Storage Admin
- Storage Object Admin
- Viewer
Layer 77 