setup-gcloud: Storage Object Get Access Error

TL;DR

When using the cloudbuild workflow, the action job reports as failing due to a storage access error. However the job is correctly triggered in cloudbuild and completes successfully.

My problem seems similar to the one described in https://github.com/GoogleCloudPlatform/github-actions/issues/49, but as I needed some clarification I opened this issue.

Expected behavior

The workflow would complete successfully

Observed behavior

The error message:

Build and push image to Google Container Registry(4s)

Run gcloud builds submit \
  gcloud builds submit \
    --quiet \
    --tag "gcr.io/$PROJECT_ID/$REPOSITORY_NAME:$GITHUB_SHA"
  shell: /bin/bash -e {0}
  env:
    PROJECT_ID: ***
    CLOUDSDK_CORE_PROJECT: ***
    REPOSITORY_NAME: ***
    CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
Creating temporary tarball archive of 148 file(s) totalling 8.9 MiB before compression.
Some files were not included in the source upload.

Check the gcloud log [/home/runner/.config/gcloud/logs/2020.05.15/21.07.45.085431.log] to see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).

Uploading tarball of [.] to [gs://***_cloudbuild/source/1589576865.25-e65b89df2a91419fbff076630958d5ee.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/***/builds/59a1f2ff-beee-4f1a-8147-504efe4014fd].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/59a1f2ff-beee-4f1a-8147-504efe4014fd?project=192068846044].
ERROR: (gcloud.builds.submit) HTTPError 403: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>*****@*****.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>
##[error]Process completed with exit code 1.

Following the logs link I can see that everything ran fine in spite of the error:

image

Reproduction

Action YAML

name: ci

on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
  push:
    branches:
      - master
    tags:
      - "[0-9]+.[0-9]+.[0-9]+"
env:
  PROJECT_ID: ${{ secrets.PROJECT_ID }}
  CLOUDSDK_CORE_PROJECT: ${{ secrets.PROJECT_ID }}

jobs:
  check:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - name: Retrieve the repository name
        run: echo ::set-env name=REPOSITORY_NAME::$(echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}')
        shell: bash
      - name: setup gcloud CLI
        uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
        with:
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          project_id: ${{ secrets.PROJECT_ID }}
      - name: Build and push image to Google Container Registry
        run: |-
          gcloud builds submit \
            --quiet \
            --tag "gcr.io/$PROJECT_ID/$REPOSITORY_NAME:$GITHUB_SHA"
  • I have a dedicated service account for my project
  • I use a JSON key to authenticate
  • I assigned it the following roles to this service account:
    • roles/cloudbuild.builds.builder
    • roles/cloudbuild.serviceAgent
    • roles/compute.serviceAgent
    • roles/container.clusterAdmin
    • roles/container.serviceAgent
    • roles/storage.admin

Additional information

As a workaround, I added a JSON key to the service account which got automatically created by GCP (ID-compute@developer.gserviceaccount.com), use it to authenticate this action and it worked like a charm.

EDIT(June 21st 2020):

  • My service account did not have the role roles/viewer.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 25
  • Comments: 18 (1 by maintainers)

Most upvoted comments

Thanks to @agray-22 's comment, I can confirm that explicitly adding the roles/viewer role to my custom service account solved the issue.

It is not clear to me why roles/storage.admin is not enough, but at least I can now use custom service accounts for my pipelines.

+7
rgreinho on Jun 22, 2020

I can also confirm adding the Viewer role to my service account fixed the issue:

Screenshot 2020-06-22 at 08 59 27
+4
alexfoxy on Jun 22, 2020

I had a similar problem than the OP, but in my case it was because I gave my service account the Storage Object Admin role instead of the Storage Admin role. Please double check that, the names of the roles are very similar.

+3
alcortesm on Sep 18, 2020

This page might help explain the error or at least point towards workarounds.

The error quit happening when I tried either of this ^ page’s options for viewing logs:

I’m still surprised I ran into this issue. It feels like the Cloud Build documentation is missing some required grants.

+3
agray-gfs on May 16, 2020

read and access to all reports and post with easy step for new user , like other face book and instagram application

+2
mirzawaseembaig on Jan 9, 2021

I can also confirm adding the Viewer role to my service account fixed the issue:

Screenshot 2020-06-22 at 08 59 27

Can also confirm this fixed our issue

+1
antoinfive on Jan 14, 2021
Read more comments on GitHub
← setup-gcloud: docker-credential-gcloud + gcloud 298.0.0 + ubuntu-18.04: "OPENSSL_1_1_1 not found" error
upload-cloud-storage: After refactor in version v0.10.0 mime types are often wrong →