MarkEdmondson1234 / googleCloudRunner

Easy R scripts on Google Cloud Platform via Cloud Run, Cloud Build and Cloud Scheduler
https://code.markedmondson.me/googleCloudRunner/
Other
82 stars 26 forks source link

Potential new permission requirement for service accounts #212

Open kletts opened 4 days ago

kletts commented 4 days ago

I've just been following the standard setup script using the recommended settings via cr_setup() for a new project on Google Cloud; unfortunately cr_setup_test("plumber") failed with the following error message in the logs for Cloud Build:

"auth cloudrun": ERROR: (gcloud.run.services.add-iam-policy-binding) PERMISSION_DENIED: Permission 'run.services.setIamPolicy' denied on resource

I solved the issue by manually adding 'run.services.setIamPolicy' as Cloud Functions Admin to the roles of the service account.

I'm not sure if it was something I did or if this is a new build requirement from Google's end (I did find a blog post from August of some changes related to Cloud Functions and Cloud Run) or perhaps the role has simply been renamed as cr_setup_role_lookup() seems to include roles with similar looking roles -- perhaps cr_setup_role_lookup() needs to be updated. Unfortunately I don't know enough about the subtleties to make any concrete suggestions.

Thanks for a great package. Christian

MarkEdmondson1234 commented 4 days ago

Great thanks, yes looks like an IAM update. I suspect a less permissive role than Cloud Functions Admin will fix it too but glad you got over the blocker.