Google Cloud Build is cool. Google Cloud Run is awesome. But when configuring Google Cloud Build to automatically deploy your built container to Google Cloud Run you might see this error:
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: The caller does not have permission
If you’re seeing this error you forgot to set up the required IAM Permissions for the Cloud Build Service Account. Below I’ll show you the commands to fix this error.
As detailed in the Cloud Run documentation, a user needs the following permissions to deploy new Cloud Run services or revisions:
run.services.updateon the project level. Typically assigned through the
iam.serviceAccounts.actAsfor the Cloud Run runtime service account. By default, this is
PROJECT_NUMBERfirstname.lastname@example.org. The permission is typically assigned through the
By default – for security reasons – the Cloud Build Service Account does not have the permissions to manage Cloud Run, explaining why you’re getting errors.
# Config GC_PROJECT=your-gcp-project-id GC_PROJECT_NUMBER=your-gcp-project-number # Grant the Cloud Run Admin role to the Cloud Build service account gcloud projects add-iam-policy-binding $GC_PROJECT \ --member "serviceAccount:$GC_PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \ --role roles/run.admin # Grant the IAM Service Account User role to the Cloud Build service account on the Cloud Run runtime service account gcloud iam service-accounts add-iam-policy-binding \ $GC_PROJECT_NUMBERemail@example.com \ --member="serviceAccount:$GC_PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser"
💡 To know the values for
gcloud projects list or go to the Home of your project inside Cloud Console.
After running these two commands, re-trigger a build and Google Cloud Build will be able to deploy your built container onto Google Cloud Run.