Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Storage Object Get Access Error

See original GitHub issue

TL;DR

When using the cloudbuild workflow, the action job reports as failing due to a storage access error. However the job is correctly triggered in cloudbuild and completes successfully.

My problem seems similar to the one described in https://github.com/GoogleCloudPlatform/github-actions/issues/49, but as I needed some clarification I opened this issue.

Expected behavior

The workflow would complete successfully

Observed behavior

The error message:

Build and push image to Google Container Registry(4s)

Run gcloud builds submit \
  gcloud builds submit \
    --quiet \
    --tag "gcr.io/$PROJECT_ID/$REPOSITORY_NAME:$GITHUB_SHA"
  shell: /bin/bash -e {0}
  env:
    PROJECT_ID: ***
    CLOUDSDK_CORE_PROJECT: ***
    REPOSITORY_NAME: ***
    CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
Creating temporary tarball archive of 148 file(s) totalling 8.9 MiB before compression.
Some files were not included in the source upload.

Check the gcloud log [/home/runner/.config/gcloud/logs/2020.05.15/21.07.45.085431.log] to see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).

Uploading tarball of [.] to [gs://***_cloudbuild/source/1589576865.25-e65b89df2a91419fbff076630958d5ee.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/***/builds/59a1f2ff-beee-4f1a-8147-504efe4014fd].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/59a1f2ff-beee-4f1a-8147-504efe4014fd?project=192068846044].
ERROR: (gcloud.builds.submit) HTTPError 403: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>*****@*****.iam.gserviceaccount.com does not have storage.objects.get access to the Google Cloud Storage object.</Details></Error>
##[error]Process completed with exit code 1.

Following the logs link I can see that everything ran fine in spite of the error:

Reproduction

Action YAML

name: ci

on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
  push:
    branches:
      - master
    tags:
      - "[0-9]+.[0-9]+.[0-9]+"
env:
  PROJECT_ID: ${{ secrets.PROJECT_ID }}
  CLOUDSDK_CORE_PROJECT: ${{ secrets.PROJECT_ID }}

jobs:
  check:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2
      - name: Retrieve the repository name
        run: echo ::set-env name=REPOSITORY_NAME::$(echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}')
        shell: bash
      - name: setup gcloud CLI
        uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
        with:
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          project_id: ${{ secrets.PROJECT_ID }}
      - name: Build and push image to Google Container Registry
        run: |-
          gcloud builds submit \
            --quiet \
            --tag "gcr.io/$PROJECT_ID/$REPOSITORY_NAME:$GITHUB_SHA"

I have a dedicated service account for my project
I use a JSON key to authenticate
I assigned it the following roles to this service account:
- roles/cloudbuild.builds.builder
- roles/cloudbuild.serviceAgent
- roles/compute.serviceAgent
- roles/container.clusterAdmin
- roles/container.serviceAgent
- roles/storage.admin

Additional information

As a workaround, I added a JSON key to the service account which got automatically created by GCP (ID-compute@developer.gserviceaccount.com), use it to authenticate this action and it worked like a charm.

EDIT(June 21st 2020):

My service account did not have the role roles/viewer.

Issue Analytics

State:
Created 3 years ago
Reactions:25
Comments:17

Top GitHub Comments

7reactions

rgreinhocommented, Jun 22, 2020

Thanks to @agray-22 's comment, I can confirm that explicitly adding the roles/viewer role to my custom service account solved the issue.

It is not clear to me why roles/storage.admin is not enough, but at least I can now use custom service accounts for my pipelines.

4reactions

alexfoxycommented, Jun 22, 2020

I can also confirm adding the Viewer role to my service account fixed the issue:

Top Results From Across the Web

service account does not have storage.objects.get access for ...

It looks there's a bug in gcloud. I've come across the same problem. Roles assigned but always permission denied from the command line,...

Gave user Storage Admin role but still getting permission error

Gave user Storage Admin role but still getting permission error - gserviceaccount.com does not have storage.objects.create access to bucket.

IAM permissions for Cloud Storage

getIamPolicy and storage.objects.setIamPolicy permissions do not apply to buckets with uniform bucket-level access enabled. Object permission name, Description ...

Access denied after succesfully uploaded to GCS setup

the permission of the bucket is public + Fine grained and given role is Storage Admin + Storage Object Admin. but I get...

Re: Unable to see objects in my bucket

I have been getting the following error when trying to access objects ... Ask a bucket owner to grant you 'storage.objects.list' permission.