Solved: Cloud Build trigger creation failed.

Permlap · 03-13-2024 10:28 PM

Hi Google Cloud Team,
I'm trying to deploy my repository from github to google run using cloud build.
Somehow, it throws error "Cloud Build trigger creation failed. Continuous Deployment pipeline is not set up. Error while setting necessary roles for Cloud Build Service Account. Required roles: roles/run.admin, roles/iam.serviceAccountUser."

I have setup Cloud Build Service Account to have the required roles as it suggest, still not working and throws the same error

here is Cloud Build Service Agent

FYI, I accidently delete Compute Engine default service account for over 30 days.
This also might be the case as well.
I'm trying to recover my Compute Engine default service account by trying this https://stackoverflow.com/a/57360924 turn out it still not working because I deleted it for over 30 days

I also try to disable and re-enable Google Compute Engine API in my project still Compute Engine default service account not showing up

Permlap

Hi guys,

Just want to response to my own question. None of these solutions works for me. So I decided to create new project to have all setting as a default and it works.

It's not a way to fix the issues, but it is the way to moving forward hahaha

View solution in original post

christianpaula

Hi @Permlap,

Welcome to Google Cloud Community!

Your Cloud Build trigger creation failed due to a permission issue with the Cloud Build service account. Here's how to fix it:

Verify that the Cloud Build service account has the role roles/run.serviceAccountUser.
If that doesn't work, create a new service account for Cloud Build, grant it the required role, and use it with your trigger.
Recreate your Cloud Build trigger using the new service account (if you created one in step 2).

seedext

Hello @christianpaula, I have the same problem but after trying your solution, it still doesn't work.

SymbolicSoft

I have been having the same problem all day and this solution does not work for me either. I am going to jump off a cliff. This is driving me insane. Please, for the love of God, look into this. I am one billion percent sure that my Cloud Build configuration has a preferred service account, which has the right permissions, and which is being used to set up the Cloud Run instance's continuous deployment.

PLEASE END MY SUFFERING.

logancarmody

Pls help... anyone else have a solution here?

gcoellof

Hi, try to set "Service Account User" in your own account, that is because you are configuring and your user needs iam.serviceAccounts.actAs permission.

MalliTirth

Same Issue

kh-hub

Same problem here. Deleted default Compute service account and can't recreate or assign to another service account

davidloving

I have the same issue.

faber820

Did you find any solution?

davidloving

No. Had to stop using Google Cloud Buiild

faber820

What are you using now?

davidloving

I am afraid to share the option we are using as Google will just HAVE to stop that from working.

The --source . flag in gcloud run deploy changes how your application is deployed to Cloud Run. Instead of providing a pre-built container image with --image, you're telling Cloud Run to build the container directly from your local source code.

Permlap

Hi guys,

Just want to response to my own question. None of these solutions works for me. So I decided to create new project to have all setting as a default and it works.

It's not a way to fix the issues, but it is the way to moving forward hahaha

davidloving

I agree... this is not the way to address the issue and I do not think this is solved.

If I buy a domain, sign up for a Workspace and then try to host a docker container in google cloud run as the Owner and Organization Administrator, I should not have to search for additional roles to add. Those are steps for adding a new user. Oh, by default the Owner and Organization Administrator cannot add a Service Account.

bhageshpurica

I want to use a custom service account, but getting the above error:

Failed: Cloud Build trigger creation failed. Continuous Deployment pipeline is not set up. Error while setting necessary roles for default Compute Service Account. Required roles: roles/run.admin, roles/iam.serviceAccountUser

have assigned the required roles to my SA but error remains same

bhageshpurica

I am also facing the same problem, do we have a fix if I want to use a custom service account.

I have the org policy enabled --> Disable Automatic IAM Grants for Default Service Accounts

So i need to use a custom SA.

gcoellof

Hi, try to set "Service Account User" in your own account, that is because you are configuring and your user needs iam.serviceAccounts.actAs permission. You need this in order to config and test.

bhageshpurica

I followed the article, https://cloud.google.com/build/docs/cloud-build-service-account-updates#disable-sa

tried the following:

Use a user-specified service account, for both manually submitted builds and triggered builds. This is generally the most secure option. Set the following constraints in your organization policy:

Not enforced: constraints/cloudbuild.useBuildServiceAccount
Not enforced: constraints/cloudbuild.useComputeServiceAccount

Continue using the Cloud Build legacy service account. If you are aware of the security trade-offs involved, set the following constraints in your organization policy:

Not Enforced: constraints/cloudbuild.disableCreateDefaultServiceAccount
Not enforced: constraints/cloudbuild.useComputeServiceAccount
Enforced: constraints/cloudbuild.useBuildServiceAccount

Also under cloud build settings:

Preferred service account: wired-brain-coffee@augmented-web-390402.iam.gserviceaccount.com. The preferred service account will be pre-populated when you create new triggers.

Both cloud run SA and unser defined SA have cloud run admin and service account user

Still the error:

Creating Cloud Build trigger

Failed: Cloud Build trigger creation failed. Continuous Deployment pipeline is not set up. Error while setting necessary roles for default Compute Service Account. Required roles: roles/run.admin, roles/iam.serviceAccountUser

Building and deploying from repository

Cancelled

bhageshpurica

Kindly provide a solution for this .......