Cloud build triggers using custom service account

tychoa · 03-22-2024 01:53 AM

With the respect to the upcoming cloud build service account change, our team has created a custom service account for cloud build purposes. This service account has been specified on cloud build trigger level as described by the documentation. According to the documentation, this should suffice as replacement of using the (still) default cloudbuild service account, soon to be compute engine account. Unfortunately, when running a build trigger (after having confirmed that the service account is set on the trigger), the console still fails throwing the error that it is missing cloud build create rights, even though they are present. When inspecting the logs explorer, I find that it still runs the cloud build trigger using the default cloudbuild account (i.e. Projectnumber@cloudbuild...). This does not seem like desired behaviour. Any suggestions? Is this a bug or is there an additional step to be performed

juliadeanne

Hello @tychoa

Welcome to the Google Cloud Community,

Based on our official documentation on Cloud Build Service Account Changes, to create new triggers, you have to explicitly specify a service account.

You can also read about that here.

tychoa

Hello Julia,

The steps mentioned in the documentation I followed. A custom service account with all the appropriate rights/permissions was specified on a trigger level (not build config). However, when I inspect the logs through the logs explorer, I see that the default cloudbuild service account is still used for actually creating the build (not running it). This requires that account to still have certain permissions set. Is this intended?