deploy-cloudrun icon indicating copy to clipboard operation
deploy-cloudrun copied to clipboard

Published 20 hours ago verified publisher icon google-github-actions

Trouble deploying using IAM instructions

Open mlovci opened this issue 2 years ago • 2 comments

TL;DR

I'm think following instructions in the example cloud run steps but I'm not sure how to follow the step that requires IAM permissions. I believe this is the the reason I'm experiencing an error with my github action - can you help me determine how to set the permissions or diagnose the problem if it's something else? IAM permissions error provided below.

Expected behavior

No response

Observed behavior

No response

Action YAML

# This workflow will deploy source code on Cloud Run when a commit is pushed to the "main" branch
#
# Overview:
#
# 1. Authenticate to Google Cloud
# 2. Deploy it to Cloud Run
#
# To configure this workflow:
#
# 1. Ensure the required Google Cloud APIs are enabled:
#
#    Cloud Run            run.googleapis.com
#    Cloud Build          cloudbuild.googleapis.com
#    Artifact Registry    artifactregistry.googleapis.com
#
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
#
# 3. Ensure the required IAM permissions are granted
#
#    Cloud Run
#      roles/run.admin
#      roles/iam.serviceAccountUser     (to act as the Cloud Run runtime service account)
#
#    Cloud Build
#      roles/cloudbuild.builds.editor
#
#    Cloud Storage
#      roles/storage.objectAdmin
#
#    Artifact Registry
#      roles/artifactregistry.admin     (project or repository level)
#
#    NOTE: You should always follow the principle of least privilege when assigning IAM roles
#
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
#
# 5. Change the values for the SERVICE and REGION environment variables (below).
#
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
#
# Further reading:
#   Cloud Run runtime service account   - https://cloud.google.com/run/docs/securing/service-identity
#   Cloud Run IAM permissions           - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy
#   Cloud Run builds from source        - https://cloud.google.com/run/docs/deploying-source-code
#   Principle of least privilege        - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege

name: Deploy to Cloud Run from Source

on:
  push:
    branches: [ "main" ]

env:
  PROJECT_ID: directed # TODO: update Google Cloud project id
  SERVICE: upload # TODO: update Cloud Run service name
  REGION: us-central1 # TODO: update Cloud Run service region
  SNOWFLAKE_ACCOUNT: '${{ secrets.SNOWFLAKE_ACCOUNT }}'
  SNOWFLAKE_USER: '${{ secrets.SNOWFLAKE_USER }}'
  SNOWFLAKE_PASSWORD: '${{ secrets.SNOWFLAKE_PASSWORD }}'
jobs:
  deploy:
    # Add 'id-token' with the intended permissions for workload identity federation
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v0'
        with:
          workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
          service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]

      # NOTE: Alternative option - authentication via credentials json
      # - name: Google Auth
      #   id: auth
      #   uses: 'google-github-actions/auth@v0'
      #   with:
      #     credentials_json: '${{ secrets.GCP_CREDENTIALS }}'

      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: ${{ env.SERVICE }}
          region: ${{ env.REGION }}
          # NOTE: If required, update to the appropriate source folder
          source: ./

      # If required, use the Cloud Run url output in later steps
      - name: Show Output
        run: echo ${{ steps.deploy.outputs.url }}

Log output

deploy
google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy bioplex-upload --quiet --platform managed --region us-central1 --source ./ --project directed-helaina --format json`: ERROR: Permission denied while accessing Artifact Registry. Artifact Registry access is required to deploy from source.
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'artifactregistry.repositories.get' denied on resource '//artifactregistry.googleapis.com/projects/directed-helaina/locations/us-central1/repositories/cloud-run-source-deploy' (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: artifactregistry.googleapis.com
  metadata:
    permission: artifactregistry.repositories.get
    resource: projects/directed-helaina/locations/us-central1/repositories/cloud-run-source-deploy
  reason: IAM_PERMISSION_DENIED
deploy
The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/

Additional information

No response

mlovci avatar Aug 18 '23 01:08 mlovci

I'm running into the same issue (although I'm using auth@v2). The IAM Policy Troubleshooter states that the service account has the artifactregistry.repositories.get permission:

image

colinrsmall avatar Feb 08 '24 03:02 colinrsmall

Is this related to https://issuetracker.google.com/issues/322167526?

sethvargo avatar Feb 08 '24 21:02 sethvargo

Closing due to lack of response. Please open a new issue if this is still occurring. Thanks!

sethvargo avatar Mar 28 '24 14:03 sethvargo