Open yongsh88 opened 3 months ago
Thank you for raising the request! RAD Lab admins have been notified.
Hi, I've answered my own request. Had fixed this by adding a storage permission in iam_permissions.tf. Suspected there was a change in permission of build roles.
Describe the bug I encountered an error when running terraform command to install RADLab UI following the doc https://googlecloudplatform.github.io/rad-lab/docs/rad-lab-ui/ui_installation/infrastructure/:
google_project_iam_member.webapp_identity_permissions["roles/iam.serviceAccountTokenCreator"]: Creation complete after 22s [id=rad-lab-ui-c9cb/roles/iam.serviceAccountTokenCreator/serviceAccount:rad-lab-ui-identity@rad-lab-ui-c9cb.iam.gserviceaccount.com] google_project_iam_member.webapp_identity_permissions["roles/secretmanager.admin"]: Creation complete after 22s [id=rad-lab-ui-c9cb/roles/secretmanager.admin/serviceAccount:rad-lab-ui-identity@rad-lab-ui-c9cb.iam.gserviceaccount.com] google_project_iam_member.webapp_identity_permissions["roles/cloudbuild.builds.viewer"]: Creation complete after 16s [id=rad-lab-ui-c9cb/roles/cloudbuild.builds.viewer/serviceAccount:rad-lab-ui-identity@rad-lab-ui-c9cb.iam.gserviceaccount.com] module.terraform_builder.null_resource.build_and_push_image (local-exec): ERROR: (gcloud.builds.submit) FAILED_PRECONDITION: invalid bucket "495034307116.cloudbuild-logs.googleusercontent.com"; default Cloud Build service account or user-specified service account does not have access to the bucket google_artifact_registry_repository_iam_member.cloudbuild_registry_access: Still creating... [10s elapsed] google_artifact_registry_repository_iam_member.terraform_builder_registry_access: Still creating... [10s elapsed] google_artifact_registry_repository_iam_member.cloudbuild_registry_access: Still creating... [20s elapsed] google_artifact_registry_repository_iam_member.terraform_builder_registry_access: Still creating... [20s elapsed] google_artifact_registry_repository_iam_member.terraform_builder_registry_access: Creation complete after 21s [id=projects/rad-lab-ui-c9cb/locations/us-central1/repositories/rad-lab-ui-registry/roles/artifactregistry.writer/serviceAccount:rad-lab-ui-automation@rad-lab-ui-c9cb.iam.gserviceaccount.com] google_artifact_registry_repository_iam_member.cloudbuild_registry_access: Creation complete after 23s [id=projects/rad-lab-ui-c9cb/locations/us-central1/repositories/rad-lab-ui-registry/roles/artifactregistry.reader/serviceAccount:rad-lab-module-creator@rad-lab-ui-c9cb.iam.gserviceaccount.com] ╷ │ Error: googleapi: Error 403: Unable to retrieve the repository metadata for projects/rad-lab-ui-c9cb/locations/us-central1/repositories/gcf-artifacts. Ensure that the Cloud Functions service account has 'artifactregistry.repositories.list' and 'artifactregistry.repositories.get' permissions. You can add the permissions by granting the role 'roles/artifactregistry.reader'., forbidden │ │ with google_cloudfunctions_function.create_update_module, │ on functions.tf line 41, in resource "google_cloudfunctions_function" "create_update_module": │ 41: resource "google_cloudfunctions_function" "create_update_module" { │ ╵
To Reproduce Steps to reproduce the behavior: I'm using Argolis environment but I'm using a org admin account with Folder IAM Admin and Project Creator roles. It's also a billing admin (I've tried both internal and partner billing accounts). I used Cloud Shell.
Expected behavior A clear and concise description of what you expected to happen.
Screenshots If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context Add any other context about the problem here.
Logs Any relevant logs that you can provide. Please remove any identifying information.
Labels Please add a label that identifies what component(s) this issue applies to.