Cloud Build service account no access to storage.objects.get

Tags: , , ,



I am trying to get a Google Cloud Functions to print something from a file in a storage bucket. I have the file stored in a bucket, an authenticated service account with Storage Admin, Cloud Run Admin, Service Account User and Cloud Functions Admin and the following python script.

def from_storage(event, context):
    import json
    from google.cloud import storage

    client = storage.Client(project='my-project')
    try:
        bucket = client.get_bucket('my-storage')
    except Exception as e:
        print('Bucket not found.')
        print(e)
    try:
        blob = bucket.blob('Hello_World.json')
        data = json.load(blob.download_as_string())
        return data
    except Exception as e:
        print('Error loading file:')
        print(e)

I try to deploy this with the following code:

gcloud functions deploy from_storage --runtime python39 --triger-http --allow-unauthenticated

To which I get an error that the deploying service account (which seems to be an automatically created service account), does not have storage.objects.get permissions:

ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed: could not resolve storage source: googleapi: Error 403: 488395598433@cloudbuild.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object., forbidden

I find this rather strange, as I do not see this service account in my IAM, nor can I access its permissions in Cloud Functions. Any help would be greatly appreciated!

Answer

I would guess that the 488395598433@cloudbuild.gserviceaccount.com – is a Cloud Build service account, where the prefix (number) is the number of the project, where that Cloud Build is running. Can you check that the Cloud Build API is enabled, please? and the Cloud Build service account has relevant permissions, please?

During the runtime, by default, the cloud function is running under PROJECT_ID@appspot.gserviceaccount.com service account, where the PROJECT_ID is the ID of the project, where that cloud function is deployed (and should run). This is an App Engine default service account.

It is possible (and recommended) to create a dedicated service accounts according to the principle of least privilege. In that case you might deploy the cloud function with correspondent arguments (not in your example).

From the best of my understanding of your particular example, the default App Engine service account is going to be used.

In either case, the cloud function runtime service account should have relevant privileges (IAM permissions/roles) to work with APIs and resources (in any projects).

Can you check that the cloud function runtime service account has a relevant permissions for accessing the cloud storage bucket, please? Bear in mind that the cloud function might be deployed into one project, and the bucket might be in another project.

In your post you mentioned that you have a “an authenticated service account with” some permissions. What is that service account for, if you deploy your service account with the default App Engine Account? Probably I missed something. “In order to deploy a function with a non-default service account, the deployer must have the iam.serviceAccounts.actAs permission on the service account being deployed.” – from Permissions required to use non-default identities If that is your case – can you check it as well, please?



Source: stackoverflow