问题
When attempting to deploy a simple function, I am running into a 403 error. Here is my full yaml:
steps:
# Install Dependencies
- name: 'python'
id: Pip install
args: ['pip3', 'install', '-r', 'requirements.txt', '--user']
# Run Tests
- name: 'python'
args: ['python3', '-m', 'pytest', 'functions/folder_a/test/']
# Deploy Cloud Functions
- name: 'gcr.io/cloud-builders/gcloud'
id: 'helloFunction'
args: ['functions', 'deploy', 'hello', '--source' , 'functions/folder_a/main.py',
'--runtime' , 'python37' ,'--trigger-http']
Step one finishes fine but step two errors here.
$ gcloud info
Account: [projectname@appspot.gserviceaccount.com]
Project: [projectname]
Current Properties:
[core]
project: [projectname]
account: [projectname@appspot.gserviceaccount.com]
disable_usage_reporting: [True]
I tried adding the following permissions to the above account in IAM:
- Cloud Build Service Agent
- Cloud Functions Developer
- Cloud Functions Service Agent
- Editor
When Google Build is running, which service account is it using? How can I change the permissions to allow automatic deploying of functions?
回答1:
Using Cloud Build to deploy Cloud Functions is documented in https://cloud.google.com/functions/docs/bestpractices/testing#continuous_testing_and_deployment
From that page the guidance is:
- To deploy Cloud Functions, you might want to assign the Cloud Functions Developer role to the Cloud Build service account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com).
- If you use the Cloud Functions Developer role, you also need to grant the Cloud Functions Runtime service account (PROJECT_ID@appspot.gserviceaccount.com) the IAM Service Account User role.
The Cloud Build service account is PROJECT_NUMBER@cloudbuild.gserviceaccount.com, if you look for it in the console there's only going to be one service account with *@cloudbuild*
来源:https://stackoverflow.com/questions/56482192/deploying-google-cloud-function-from-a-google-build