deploy-cloudrun icon indicating copy to clipboard operation
deploy-cloudrun copied to clipboard

Published 20 hours ago verified publisher icon google-github-actions

Incorrect IAM permissions in the starter workflow

Open ianyoung opened this issue 2 years ago • 5 comments

TL;DR

Deployment fails when deploying to Cloud Run from source with using the default template.

Expected behavior

Successful deploy

Observed behavior

Failure to deploy with the following error message:

Error: google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy MY-SERVICE --quiet --platform managed --region europe-west6 --source ./src/ --project *** --format json`: This command is equivalent to running `gcloud builds submit --tag [IMAGE] ./src` and `gcloud run deploy MY-SERVICE --image [IMAGE]`

The name of my service has been replaced with MY-SERVICE

Action YAML

name: Deploy to Cloud Run from Source

on:
  push:
    branches: [ "main" ]

env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} # Google Cloud project id
  SERVICE: MY-SERVICE
  REGION: europe-west6

jobs:
  deploy:
    # Add 'id-token' with the intended permissions for workload identity federation
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v0'
        with:
          workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
          service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]

      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: ${{ env.SERVICE }}
          region: ${{ env.REGION }}
          # NOTE: If required, update to the appropriate source folder
          source: ./src/

      # If required, use the Cloud Run url output in later steps
      - name: Show Output
        run: echo ${{ steps.deploy.outputs.url }}

Log output

No response

Additional information

Steps followed:

  1. Go to GitHub Actions tab in my repo
  2. Create new workflow
  3. Select "configure" on "Build and deploy from source" (screenshot)
  4. Update env vars

I'm looking to use my own Dockerfile in ./src/. I've updated the source parameter accordingly: source: ./src/. I've also tried removing the trailing slash. This results in the same error.

I've used a different service name to ensure it's unique and the error is the same.

ianyoung avatar Jan 02 '23 12:01 ianyoung

Hi there - could you please provide the debug output for the complete GitHub Actions workflow run?

sethvargo avatar Jan 02 '23 15:01 sethvargo

Good call. I've enabled the debug output and downloaded the logs. Available here.

It looks like this is the specific error:

Deployment failed
ERROR: (gcloud.run.deploy) The user is forbidden from accessing the bucket [***_cloudbuild]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission. Giving the user Owner, Editor, or Viewer roles may also fix this issue. Alternatively, use the --no-source option and access your source code via a different method.

Although I've followed the instructions in the template and both enabled and set permissions for Cloud Run, Cloud Build, Cloud Storage and Artifact Registry.

I've followed that error message and added the roles/serviceusage.serviceUsageAdmin as well. Here are the roles currently assigned to my service account:

ROLE
roles/artifactregistry.admin
roles/cloudbuild.builds.editor
roles/cloudfunctions.developer
roles/iam.serviceAccountUser
roles/run.admin
roles/secretmanager.secretAccessor
roles/serviceusage.serviceUsageAdmin
roles/storage.objectAdmin

The error remains after just trying a re-run.

ianyoung avatar Jan 02 '23 16:01 ianyoung

I've figured out the problem. Once again it's misleading info in the workflow template. The template comments mention the following permissions:

3. Ensure the required IAM permissions are granted
#
#    Cloud Run
#      roles/run.admin
#      roles/iam.serviceAccountUser     (to act as the Cloud Run runtime service account)
#
#    Cloud Build
#      roles/cloudbuild.builds.editor
#
#    Cloud Storage
#      roles/storage.objectAdmin
#
#    Artifact Registry
#      roles/artifactregistry.admin     (project or repository level)

However roles/storage.objectAdmin is incorrect. You actually need roles/storage.admin, as per the docs.

I've tested and can confirm it's working with the Storage Admin role.

ianyoung avatar Jan 02 '23 17:01 ianyoung

@verbanicm

sethvargo avatar Jan 03 '23 14:01 sethvargo

@verbanicm can you take a look at updating the starter workflows? This came up again in a usability study.

sethvargo avatar Mar 28 '24 14:03 sethvargo

Will be closed when https://github.com/actions/starter-workflows/pull/2478 is merged. There's a new IAM permission, roles/run.sourceDeveloper, that handles this.

sethvargo avatar Aug 19 '24 21:08 sethvargo