问题
When creating a new service account to handle Container Builder jobs, the jobs fail with the following error despite the service account having Cloud Container Builder , Logs Viewer and Private Logs viewer:
ERROR: (gcloud.container.builds.submit) HTTPError 403:
<?xml version='1.0' encoding='UTF-8'?>
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>v2-container-builder@redacted.iam.gserviceaccount.com does not have storage.objects.get access to object redacted.cloudbuild-logs.googleusercontent.com/log-20117c17-f2b4-4159-9883-104ddd7bb232.txt.
</Details>
</Error>
I understand the error points to storage.objects.get permissions over a file on cloud storage, but this is not a bucket we can set acl for is it ?
回答1:
Here is the quote from David Bendory (Tech Lead for the Google Cloud Container Builder) from this thread:
GCS permissions predate IAM and thus work a little differently. To view the logs, the Service Account in question needs to be a Viewer on the project in addition to have the Builder Editor role.
来源:https://stackoverflow.com/questions/45602447/what-scopes-roles-are-required-for-a-service-account-to-be-able-to-submit-cont