Closed ianyoung closed 1 month ago
Hi there - could you please provide the debug output for the complete GitHub Actions workflow run?
Good call. I've enabled the debug output and downloaded the logs. Available here.
It looks like this is the specific error:
Deployment failed
ERROR: (gcloud.run.deploy) The user is forbidden from accessing the bucket [***_cloudbuild]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission. Giving the user Owner, Editor, or Viewer roles may also fix this issue. Alternatively, use the --no-source option and access your source code via a different method.
Although I've followed the instructions in the template and both enabled and set permissions for Cloud Run, Cloud Build, Cloud Storage and Artifact Registry.
I've followed that error message and added the roles/serviceusage.serviceUsageAdmin
as well. Here are the roles currently assigned to my service account:
ROLE
roles/artifactregistry.admin
roles/cloudbuild.builds.editor
roles/cloudfunctions.developer
roles/iam.serviceAccountUser
roles/run.admin
roles/secretmanager.secretAccessor
roles/serviceusage.serviceUsageAdmin
roles/storage.objectAdmin
The error remains after just trying a re-run.
I've figured out the problem. Once again it's misleading info in the workflow template. The template comments mention the following permissions:
3. Ensure the required IAM permissions are granted
#
# Cloud Run
# roles/run.admin
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account)
#
# Cloud Build
# roles/cloudbuild.builds.editor
#
# Cloud Storage
# roles/storage.objectAdmin
#
# Artifact Registry
# roles/artifactregistry.admin (project or repository level)
However roles/storage.objectAdmin
is incorrect. You actually need roles/storage.admin
, as per the docs.
I've tested and can confirm it's working with the Storage Admin role.
@verbanicm
@verbanicm can you take a look at updating the starter workflows? This came up again in a usability study.
Will be closed when https://github.com/actions/starter-workflows/pull/2478 is merged. There's a new IAM permission, roles/run.sourceDeveloper
, that handles this.
TL;DR
Deployment fails when deploying to Cloud Run from source with using the default template.
Expected behavior
Successful deploy
Observed behavior
Failure to deploy with the following error message:
The name of my service has been replaced with
MY-SERVICE
Action YAML
Log output
No response
Additional information
Steps followed:
I'm looking to use my own Dockerfile in
./src/
. I've updated thesource
parameter accordingly:source: ./src/
. I've also tried removing the trailing slash. This results in the same error.I've used a different service name to ensure it's unique and the error is the same.