背景
Cloud Run にデプロイするために必要なパーミッションが↓に書かれていますが、それでは十分ではなかったので、覚書です。
※--execution-environment=gen2 を利用する必要があったため、2022-06-20現在 gcloud beta run deploy を利用しています(beta の指定が必要)。
// コマンド例
gcloud beta run deploy ${APP_NAME} --source . \
--execution-environment=gen2 \
--no-allow-unauthenticated \
--service-account=${SERVICE_ACCOUNT} \
--http-timeout=${HTTP_TIMEOUT}
上記ドキュメントに記載された内容
以下を、デプロイを実行する(= gcloud beta run deployを実行する)ユーザに付与する。
-
roles/run.admin(Cloud Run Admin) - デプロイ時に、
--service-accountで指定するサービスアカウントのService Account Userロール- 具体的な方法は、ドキュメントの
To assign the IAM Service Account User role on the Cloud Run runtime service account:以降の手順を参照
- 具体的な方法は、ドキュメントの
上記以外に必要だったロール
必要なロール(とそれが欠けていた時に出るエラー)
- Artifact Registry Reader
ERROR: Permission denied while accessing Artifact Registry. Artifact Registry access is required to deploy from source.
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'artifactregistry.repositories.get' denied on resource '//artifactregistry.googleapis.com/projects/<project>/locations/asia-northeast1/repositories/cloud-run-source-deploy' (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: artifactregistry.googleapis.com
metadata:
permission: artifactregistry.repositories.get
resource: projects/<project>/locations/asia-northeast1/repositories/cloud-run-source-deploy
reason: IAM_PERMISSION_DENIED
- Cloud Build Editor
// at the "Building Container" phase
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission.
- Service Usage Consumer
// at the "Building Container" phase
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Caller does not have required permission to use project <your_project>. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=<your_project> and then retry. Propagation of the new permission may take a few minutes.
- Storage Admin
ERROR: (gcloud.beta.run.deploy) The user is forbidden from accessing the bucket [<project_name>_cloudbuild]. Please check your organization's policy or if the user has the "serviceusage.services.use" permission
エラー例
2番目のフェーズの Building Container でエラーが発生した例。
Building using Dockerfile and deploying container to Cloud Run service [<server_name>] in project [<project_name>] region [<region>]
X Building and deploying... Building Container.
✓ Uploading sources...
- Building Container... Logs are available at [https://console.cloud.google.com/cloud-build/builds/xxxxx].
. Creating Revision...
. Routing traffic...
. Setting IAM Policy...
Deployment failed
ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: The caller does not have permission