Re: Cloud Build Logging Permission Ignored

bradykelly

I am following the GCP Quickstart Deploy an app in a container image to a GKE cluster, and I'm at the cloud build step, executing this command:

gcloud builds submit --tag us-central1-docker.pkg.dev/PROJECT_ID/hello-repo/helloworld-gke .

I have put my real project id in.

After some trial and error, i.e. getting one permissions error, adding the permission, and trying again, the build and push seems to go fine. The gcloud output shows this:

Pushing us-central1-docker.pkg.dev/gke-dotnet-api-1/hello-repo/helloworld-gke

But the gcloud output goes on to say:

INFO: The service account running this build [ACCOUNT_ID redacted] does not have permission to write logs to Cloud Logging. To fix this, grant the Logs Writer (roles/logging.logWriter) role to the service account.

I had this problem earlier and added the Logs Writer, Logs Viewer, and Logs View Accessor roles to the account:

What do I have to do to get cloud build to recognize the Log Writer role I have granted?

bradfojb

Confirming this shows up in the Cloud Build UI as well and appeared recently without any changes to my IAM:

The service account running this build projects/PROJECT_ID/serviceAccounts/NAME@PROJECT_ID.iam.gserviceaccount.com does not have permission to write logs to Cloud Logging. To fix this, grant the Logs Writer (roles/logging.logWriter) role to the service account.

My service account has the right role setup, and I can see that build logs are indeed being written to Cloud Logging despite this message.

bradfojb

@bradykellythis is no longer happening for my builds. Google must have fixed.