search

GoogleCloudPlatform / bigquery-dlp-remote-function

Use Remote Functions to tokenize data with DLP in BigQuery using SQL
https://cloud.google.com/dlp/docs/deidentify-bq-tutorial
Apache License 2.0
19 stars 4 forks source link

Cloud Build Service Account Access Denied #70

Open afleisc opened 5 months ago

afleisc commented 5 months ago

When following the terraform deploy steps, I get the following error:

AccessDeniedException: 403 758130749455-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist).
Fetching storage object: gs://afleisc-udf-test_cloudbuild/source/1717078378.321001-d8ace147e8aa4b8e888d37b62b6cde32.tgz#1717078379063241

I believe this is due to the changes mentioned in this doc: https://cloud.google.com/build/docs/cloud-build-service-account-updates

With new projects, Cloud Build will use the compute engine service account which doesn't have access to buckets for logging by default. I ran into the same issue with a project of mine, and I believe the solution is to create a separate SA for the Cloud Build and give it the Logs Writer (roles/logging.logWriter) role

anantdamle commented 2 months ago

Thanks for flagging the issue. Apologies for a delayed response. I will fix it in the next few weeks,