Why am I seeing this error: 'ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission' while deploying container?

Question

假设我有一个如下所示的 cloudbuild.yaml 文件。还假设我可以运行并在将 gcloud 用于单独的功能（构建和运行ning）时手动部署有问题的容器。

部署时第三步报错ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission

steps:
# Build the container image
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA', '.']
# Push the image to Container Registry
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA']
# Deploy image to Cloud Run
- name: 'gcr.io/cloud-builders/gcloud'
  args:
  - 'run'
  - 'deploy'
  - '[SERVICE_NAME]'
  - '--image'
  - 'gcr.io/[PROJECT_ID]/[IMAGE]:$COMMIT_SHA'
  - '--region'
  - '[REGION]'
  - '--platform'
  - 'managed'
images:
- gcr.io/[PROJECT_ID]/[IMAGE]

Answer 1

查看文档：

https://cloud.google.com/cloud-build/docs/deploying-builds/deploy-cloud-run#before_you_begin

您需要按照此处提供的步骤操作：

Grant the Cloud Run Admin role to the Cloud Build service account:

In the Cloud Console, go to the Cloud Build Settings page:

Open the Settings page

Locate the row with the Cloud Run Admin role and set its Status to ENABLED.

In the Additional steps may be required pop-up, click Skip.

Grant the IAM Service Account User role to the Cloud Build service account on the Cloud Run runtime service account:

In the Cloud Console, go to the Service Accounts page:

Open the Service Accounts page

In the list of members, locate and select [PROJECT_NUMBER]-compute@developer.gserviceaccount.com. This is the Cloud Run runtime service account.

Click SHOW INFO PANEL in the top right corner.

In the Permissions panel, click the Add Member button.

In the New member field, enter the email address of the Cloud Build service account. This is of the form [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. Note: The email address of Cloud Build service account is different from that of Cloud Run runtime service account.

In the Role dropdown, select Service Accounts, and then Service Account User.

Click Save.

在我的例子中，@cloudbuild 帐户没有出现在步骤 2 的 IAM 建议中，但是如果您执行步骤 1 并且运行您的构建，错误消息将变为类似的内容到下面的编辑消息，其中包含您需要的帐户。

ERROR: (gcloud.run.deploy) User [<SOME_NUMBER_HERE>@cloudbuild.gserviceaccount.com] does not have permission to access namespace [<YOUR_PROJECT_ID>] (or it may not exist): Permission 'iam.serviceaccounts.actAs' denied on service account <SOME_OTHER_NUMBER_HERE>-compute@developer.gserviceaccount.com (or it may not exist).

Answer 2

要通过 gcloud CLI 执行此操作：

gcloud run services add-iam-policy-binding [CLOUD_RUN_SERVICE_NAME] \ 
  --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT EMAIL] \
  --role=roles/run.admin \
  --project=$PROJECT \
  --region=$REGION
gcloud iam service-accounts add-iam-policy-binding [SERVICE ACCOUNT THAT CLOUD RUN RUNS AS] \
  --member=serviceAccount:[CLOUD BUILD SERVICE ACCOUNT] \
  --role roles/iam.serviceAccountUser
  --project=$PROJECT \
  --region=$REGION

Answer 3

如果您验证了您的服务 accounts/roles 并且一切正常，您也可以初始化 gcloud sdk，在我的情况下，我在安装 gcloud sdk 并登录后处理该错误原因，但从未对其进行初始化，因此项目、account/service-account 等选项未正确设置在我运行 gcloud init 命令并设置每个选项后它开始工作。

Answer 4

请注意，如果您的部署步骤引用其他服务（例如，我的 cloudbuild.yaml 将 DAG 和数据复制到 Google Cloud Composer），您需要将相关角色授予 [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com 同样——在我的例子中，这是 Composer Worker 角色。

Why am I seeing this error: 'ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission' while deploying container?