deploy-cloudrun icon indicating copy to clipboard operation
deploy-cloudrun copied to clipboard

Published 20 hours ago verified publisher icon google-github-actions

Deploy to Cloud Run from Source is failing with Artifactry permission issue

Open intesar opened this issue 2 years ago • 1 comments

TL;DR

Here is the example I followed: https://github.com/google-github-actions/example-workflows/blob/main/workflows/deploy-cloudrun/cloudrun-source.yml

  • Repository exists
  • Permission exists
Screen Shot 2022-07-12 at 6 57 39 PM Screen Shot 2022-07-12 at 6 57 15 PM

Expected behavior

Expected the Clour Run to deploy the Node application from the source.

Observed behavior

Deployment failed with ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'artifactregistry.repositories.get' denied on resource '//artifactregistry.googleapis.com/projects/api-project-222898232626/locations/us-central1/repositories/cloud-run-source-deploy' (or it may not exist).

Action YAML

name: Deploy to Cloud Run from Source

on:
  push:
    branches:
      - "main"

env:
  PROJECT_ID: api-project-222898232626
  SERVICE: api-discovery
  REGION: us-central1

jobs:
  deploy:
    # Add 'id-token' with the intended permissions for workload identity federation
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v0'
        with:
          workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
          service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]

      # NOTE: Alternative option - authentication via credentials json
      # - name: Google Auth
      #   id: auth
      #   uses: 'google-github-actions/auth@v0'
      #   with:
      #     credentials_json: '${{ secrets.GCP_CREDENTIALS }}'

      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: ${{ env.SERVICE }}
          region: ${{ env.REGION }}
          # NOTE: If required, update to the appropriate source folder
          source: ./

      # If required, use the Cloud Run url output in later steps
      - name: Show Output
        run: echo ${{ steps.deploy.outputs.url }}

Log output

google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud beta run deploy api-discovery --quiet --platform managed --region us-central1 --source ./ --project api-project-222898232626 --format json`: ERROR: Permission denied while accessing Artifact Registry. Artifact Registry access is required to deploy from source.
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'artifactregistry.repositories.get' denied on resource '//artifactregistry.googleapis.com/projects/api-project-222898232626/locations/us-central1/repositories/cloud-run-source-deploy' (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: artifactregistry.googleapis.com
  metadata:
    permission: artifactregistry.repositories.get
    resource: projects/api-project-222898232626/locations/us-central1/repositories/cloud-run-source-deploy
  reason: IAM_PERMISSION_DENIED

Additional information

No response

intesar avatar Jul 13 '22 02:07 intesar

What permissions does the service account in WIF_SERVICE_ACCOUNT have?

sethvargo avatar Jul 13 '22 14:07 sethvargo

Closing due to lack of response.

sethvargo avatar Nov 29 '22 18:11 sethvargo