问题
I have my env set as Cloud build app (Github app) to provision terraform through cloud build to Google Cloud Platform. The build is a simple cloud composer with cloud functions, that creates these resources along with the right service accounts and members. However, only the owner permission can execute this successfully, I want to have least privilege for the cloud build service account. I have used a lot of roles and nothing seems to be successful. i.e. create service account, editor, access context manager admin, access approval approver. When I run the build via github commit, I receive this error other than having the owner set as role
Error: Error applying IAM policy for cloudfunctions cloudfunction googleapi: Error 403: Permission
Error: Batch "iam-project-redacted modifyIamPolicy" for request "Create IAM Members roles/composer.worker serviceAccount:composer-env-account@redacted.iam.gserviceaccount.com for \"project \\"redacted\\"\"" returned error: Error applying IAM policy for project "redacted": Error setting IAM policy for project "redacted": googleapi: Error 403: The caller does not have permission, forbidden. To debug individual requests, try disabling batching: https://www.terraform.io/docs/providers/google/guides/provider_reference.html#enable_batching
Is there a IAM policy/role that allows for service accounts to successfully build through cloud build?
With Owner role set to cloudbuild service account, everything build successfully
回答1:
The Cloud Build service account has assigned by default the Cloud Build Service Account role which has the permissions referred here. Notice that you'll only be limited to perform the following tasks: which include doing the pertinent activities in order to make a build successful (accessing Cloud Source Repository, Cloud Storage and Container Registry).
Along with the Cloud Build Service Account role, you'll need to grant additional roles depending on what else you are doing with Cloud Build.
In the particular case of your error message you'll need to add the Cloud Functions Developer role in order to be able to get full access to Cloud Functions. The whole procedure is documented here.
There are similar roles if you are also deploying to App Engine, or managing Google Kubernetes Engine, etc. Find all the list of available roles here.
来源:https://stackoverflow.com/questions/60158725/cloud-build-service-account-permission-to-build