googlecodelabs
[getting-started-with-mcp-adk-a2a]
Sorry if you mentioned this in some part of the documentation but I couldn't find it.
I had some problems to run the MCP server on Cloud Run and these are the IAM permissions required in my case (Argolis env)
Added these permissions to my default compute engine SA and I was able to run the container
- Storage Object Viewer
- Logs Writer
- Cloud Build Service Account
don't know if they're the best ones (least privilege).
thank you
Renato Takaasi [CE]
Thanks @tkrenato, I can make these permissions more explicitly clear in the codelab by calling them out.
Jack, I am running into the same issue as Renato:
krislarson@Kriss-MacBook-Pro mcp-server % gcloud run deploy mcp-server --no-allow-unauthenticated --region=us-central1 --source .
Building using Dockerfile and deploying container to Cloud Run service [mcp-server] in project [agent-dev-kit-a2a-mcp] region [us-central1]
X Building and deploying new service... Uploading sources.
✓ Uploading sources...
. Building Container...
. Creating Revision...
. Routing traffic...
Deployment failed
ERROR: (gcloud.run.deploy) INVALID_ARGUMENT: Invalid build request. could not resolve source: googleapi: Error 403: [email protected] does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist)., forbidden
Found the compute service account under IAM & Admin/Service Accounts on the console and added these roles, based on the various error messages I had:
- Storage Object Viewer
- Logs Writer
- Artifact Registry Writer
then I was able to deploy the service.
I'm going to dig into Cloud Run a little deeper to try and understand what's going on.
