search

GoogleCloudPlatform / docker-clamav-malware-scanner

Apache License 2.0
68 stars 74 forks source link

EventArc Trigger Failing with "permission_denied" #47

Closed kbhagi closed 1 year ago

kbhagi commented 1 year ago

Following the activation of the file upload trigger. Then using a gsutil command to upload a file

gsutil cp ./microservices/file-upload-and-scanning/scripts/testfile.gif "gs://${PROJECT_ID}-fileuploads-unscanned"

The file upload completes successfully. You can see the file in the bucket. Expected result : file should then be scanned and transferred Actual result: Instead it fails silently.

Troubleshooting that I did : Verified that EventArc Trigger Service account file-upload-malware-scanner@xxxxx-xxxxx.iam.gserviceaccount.com had all of the below IAM policy bindings

Verified that Cloud Storage SA service-PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com had the Pub/Sub Publisher role. The Cloud Storage trigger was configured properly and the SA used was the right one. Inspite of these the permission_denies error was seen in the INVOCATION chart of the Trigger details.

image

The cause was due to a missing auth token permission that was required for the pubsub service account. Adding the below permission fixed the issue

PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member "serviceAccount:service-${PROJECT_NUMBER}@[gcp-sa-pubsub.iam.gserviceaccount.com](http://gcp-sa-pubsub.iam.gserviceaccount.com/)" \
  --role "roles/iam.serviceAccountTokenCreator"
nielm commented 1 year ago

I have not seen this issue, and can not reproduce it on a clean new project.

The permissions assigned to the role roles/iam.serviceAccountTokenCreator should already be included in the roles/pubsub.serviceAgent which is automatically set up and assigned to the Pub/sub service account: 

gcloud projects  get-iam-policy  $PROJECT_ID
...
- members:
  - serviceAccount:service-XXXXXXX@gcp-sa-pubsub.iam.gserviceaccount.com
  role: roles/pubsub.serviceAgent
nielm commented 1 year ago

Aha!

From https://cloud.google.com/run/docs/triggering/pubsub-push#create-push-subscription:

Important: If your project was created on or before April 8, 2021, you must grant the iam.serviceAccountTokenCreator role to the Google-managed service account service-{PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com on the project in order to allow Pub/Sub to create tokens. However, if your project was created after that date, you do not need to grant it this role because it has the roles/pubsub.serviceAgent role with identical permissions.

I will add this to the documentation.

nielm commented 1 year ago

I will add this to the documentation.

Actually it was already there, although the link needs updating:

If you're using an existing project that was created before April 8, 2021, configure Pub/Sub for push notifications.