search

nodejs / build

Better build and test infra for Node.
504 stars 165 forks source link

Give GCP access to trivikr with a "Editor" role for Container Registry and Cloud Run #3774

Open trivikr opened 3 months ago

trivikr commented 3 months ago

Follow-up to https://github.com/nodejs/build/issues/3760

Updating Node.js version on CloudRun needed back-and-forth https://github.com/nodejs/build/pull/3767#issuecomment-2182116915 @targos @nodejs/build-infra

targos commented 3 months ago

+1

richardlau commented 3 months ago

+1

targos commented 3 months ago

Container registry uses storage buckets, so I added you to the artifacts.nodejs-org.appspot.com bucket.

Added roles: CleanShot 2024-06-24 at 13 28 11@2x

trivikr commented 3 months ago

I'm getting an error when running docker push

$ docker push gcr.io/nodejs-org/processcloudflare:latest
The push refers to repository [gcr.io/nodejs-org/processcloudflare]
0da38d68eb86: Pushing [==================================================>]   16.9kB
0ee473237b8a: Pushing [==================================================>]  53.93MB/53.93MB
b7498e9d3873: Pushing [==================================================>]  4.096kB
9279ccc76f81: Pushing   2.56kB
7467ef3c871b: Layer already exists 
434cc13f0a3f: Layer already exists 
913dc9e03897: Layer already exists 
eedd421a1799: Layer already exists 
1387079e86ad: Layer already exists 
denied: Access denied.

I'v run gcloud auth configure-docker and I'm able to pull images

$ docker pull gcr.io/nodejs-org/processcloudflare@sha256:b86c048c80c366adfb116122557694d3dff12a62774a33fb298d83142b48bf3b
...
gcr.io/nodejs-org/processcloudflare@sha256:b86c048c80c366adfb116122557694d3dff12a62774a33fb298d83142b48bf3b: Pulling from nodejs-org/processcloudflare
fa1690ae9228: Pull complete 
2e799f213a71: Pull complete 
7889b64c76ee: Pull complete 
f014a43d13b9: Pull complete 
a362afa18dd0: Pull complete 
f2ae68db337f: Pull complete 
6abe74b5e2f0: Pull complete 
97514749f1a3: Pull complete 
1c0d6a0abd54: Pull complete 
Digest: sha256:b86c048c80c366adfb116122557694d3dff12a62774a33fb298d83142b48bf3b

This is the first time I'm using GCP, and I'm not sure what the issue is. There are some tips in this blog post

trivikr commented 3 months ago

As per documentation, my GMail account might need to have Storage Legacy Bucket Writer permissions.

targos commented 3 months ago

@trivikr I added you this permission to the bucket.

trivikr commented 3 months ago

Thank you. The docker push was successful for processcloudflare

$ docker push gcr.io/nodejs-org/processcloudflare:latest
The push refers to repository [gcr.io/nodejs-org/processcloudflare]
0da38d68eb86: Pushed 
0ee473237b8a: Pushed 
b7498e9d3873: Pushed 
9279ccc76f81: Pushed 
7467ef3c871b: Layer already exists 
434cc13f0a3f: Layer already exists 
913dc9e03897: Layer already exists 
eedd421a1799: Layer already exists 
1387079e86ad: Layer already exists 
latest: digest: sha256:8fbdec8ab2fd3a2a6e237d812999e5420ca8d546fabcb417fbb12a422d1573e0 size: 2201
trivikr commented 3 months ago

The gcloud run deploy command failed.

$ gcloud run deploy processlogs --image gcr.io/nodejs-org/processcloudflare:latest --region us-central1 --no-allow-unauthenticated
Deploying container to Cloud Run service [processlogs] in project [nodejs-org] region [us-central1]
X Deploying...                                                                                                                                             
  . Creating Revision...                                                                                                                                   
  . Setting IAM Policy...                                                                                                                                  
Deployment failed                                                                                                                                          
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account metrics-processor@nodejs-org.iam.gserviceaccount.com (or it may not exist). This command is authenticated as <trivikr-email> which is the active account specified by the [core/account] property.

As per StackOverflow and Deployment permissions, the Cloud Run Admin and Service Account User roles are required to be added to service account.

targos commented 3 months ago

I added the Service Account User role for the iam.serviceaccounts.actAs permission. I think Cloud Run Developer is enough for the rest.

trivikr commented 3 months ago

Verified that Service Account User and Cloud Run Developer roles were enough for running gcloud run deploy.

$ gcloud run deploy processlogs --image gcr.io/nodejs-org/processcloudflare:latest --region us-central1 --no-allow-unauthenticated
Deploying container to Cloud Run service [processlogs] in project [nodejs-org] region [us-central1]
X Deploying... Done.                                                                                                                                       
  ✓ Creating Revision...                                                                                                                                   
    Setting IAM Policy...                                                                                                                                  
Completed with warnings:                                                                                                                                   
  Setting IAM policy failed, try "gcloud beta run services remove-iam-policy-binding --region=us-central1 --member=allUsers --role=roles/run.invoker processlogs"
Service [processlogs] revision [processlogs-00062-qfw] has been deployed and is serving 0 percent of traffic.