I have a demo App Engine application on GitHub, mapped through Google Cloud Build to automatically redeploy upon any change in the master repository. I’ve left this app untouched for about a month or so, until now where I made some minor updates and pushed those updates to the GitHub repository.
Unfortunately it seems that Cloud Build has changed some permissions, because suddenly errors came up and my updates failed to deploy. Here’s a screenshot of my Cloud Build page, and the errors:
Apparently this error was due to a permissions error
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as 'email@example.com' - '@type': type.googleapis.com/google.rpc.ResourceInfo description: You do not have permission to act as this service account. resourceName: firstname.lastname@example.org resourceType: serviceAccount ERROR ERROR: build step 0 "gcr.io/cloud-builders/gcloud" failed: step exited with non-zero status: 1
When I tried to force the run via the Run trigger, I got this error:
Failed to trigger build: generic::permission_denied: service account email@example.com has insufficient permission to execute the build on project project-name.
In short, you need to add the Cloud Build Service Agent role to Cloud Build, allowing it to use service accounts to authenticate into other Google services. in the IAM section of the cloud console, find the Cloud Build service account:
And then add the Cloud Build Service Agent to the Cloud Build service account:
After I added that role, my Cloud Build deployments worked again.