We are currently hosting a Docker container in Google Cloud's Cloud Run.
We're trying to initialize a revision to Cloud Run (Manually and via an authenticated pipeline). It's complaining that it doesn't have access to the resource.
Our team has been struggling over several days to fix the following issue:
These are the permissions we've set for the user:
- Artifact Registry Reader
- Artifact Registry Writer
- Cloud Run Admin
- Cloud Run Service Agent
Error: Revision 'api-XXXXX-grn' is not ready and cannot serve traffic.
Reason:
- Failed to list OAuth clients due to a permission issue.
Details:
- Exception: com.google.apps.framework.auth.IamPermissionDeniedException
- IAM authority lacks the permission 'clientauthconfig.clients.list' for action AppIdentityClientAuthConfigService-ListClients on resource 'brands/XXXXXXXXXXX'.
Security Context:
- User: gaiauser/XXXXXXXXXX
- Credentials: GAIA_MINT
- Peer Protocol: loas
- Peer Version: X
- Security Level: strong_privacy_and_integrity
- Host: XXXXXXXX.prod.google.com
- Role: identity-app-regional
- User: cloud-run-api-server
- Originator: cloud-run-api-server (GAIA ID: XXXXXXXXXXXX)
RPC Exception:
- Title: /ClientAuthConfig.ListClients, PERMISSION_DENIED
- Application Error: google.identity.clientauthconfig.v1/ClientAuthConfig.ListClients
- App Error Code: X
- Start Time (ms): XXXXXXXXXXXX
- Deadline (sec): XX.X
- Server Time (sec): X.XXXXXXXX
- Request ID: XXXXXXXXXXXXXXXX
- Server: [XXXX:XXXX:XXXX:XXXX::]:XXXX
For in-depth troubleshooting, please visit:
https://cloud.google.com/run/docs/troubleshooting
We're trying to run it through the Policy Troubleshooter but haven't found the culprit yet.
The `brands/XXXXXXXXXXX` resource is what's throwing us off.
Any ideas?
LinkedIn
Twitter
