This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to Create Cloud Run Service Due to Generic Permission Error Despite Owner Role

Posted Monday
Fjsm
New Member
Reply posted on --/--/---- --:-- AM

Case Title: Unable to Create Cloud Run Service Due to Generic Permission Error Despite Owner Role

Product: Cloud Run Priority: High (Operation Blocked)

Problem Summary:

We are attempting to create a new Cloud Run service in the project Homo Conscius APP (ID: paselo-la-vida) to host a Google Tag Manager Server-Side container. The operation consistently fails with a generic error message: "The operation failed due to a lack of permissions". This occurs despite the user performing the operation (PII Removed by Staff) holding the Owner, Cloud Run Admin, and Service Account User roles for the project. We have systematically verified and ruled out all common configuration causes, suggesting a potential anomalous project state or an internal platform issue.

Environment Information:

  • Google Cloud Project: Homo Conscius APP

  • Project ID: paselo-la-vida

  • Principal performing the operation: (PII Removed by Staff)

  • Service to be created: Cloud Run

  • Deployment Region: europe-southwest1 (Madrid)

  • Container Image to Deploy: gcr.io/cloud-tagging-101/gtm-cloud-run-image:stable

Ultimate Goal:

The objective is to deploy a tagging server for Google Tag Manager Server-Side using the official Google image. The final service configuration must allow unauthenticated invocations to receive tracking data (events) from web browsers over the internet, for subsequent forwarding to third-party APIs such as the Meta Conversions API.

Diagnostic Steps Performed & Obstacles Encountered (Detailed Chronology):

An exhaustive debugging process has been performed to isolate the cause of the error:

  1. Initial GTM Conflict (Resolved): A conflict was detected and resolved in Google Tag Manager where an old, auto-provisioned server container (GTM-M7JJKG98) was causing errors. A new, clean container (Sendasavia Server V2, ID: GTM-5H9C6Q08) was created, and the existing configuration was imported. This GTM issue is now resolved.

  2. Auto-provisioning Failure (First Obstacle): An attempt was made to use the "Automatically provision tagging server" feature from the new GTM V2 container. The operation failed with a generic error, forcing us to proceed with the manual creation of the service directly in Cloud Run.

  3. Manual Creation Failure (Specific Permission Error): The first manual creation attempt failed with the specific error: Permission 'iam.serviceAccounts.actAs' denied.

  4. Corrective Action 1 (Service Account User Role): To resolve the previous error, the Service Account User role was assigned to the principal (PII Removed by Staff) Despite this, the creation error persisted, though it changed to the more generic message: "The operation failed due to a lack of permissions."

  5. Corrective Action 2 (Cloud Run Admin Role): Based on official documentation, the Cloud Run Admin role was also added to the principal (PII Removed by Staff), in addition to the Owner and Service Account User roles it already possessed. The generic permission error continues to occur.

  6. Project API Verification (Ruled Out): We have explicitly verified that the following essential APIs are ENABLED in the Homo Conscius APP project:

    • Cloud Run Admin API

    • Artifact Registry API

    • Cloud Build API

  7. Organization Policy Verification (Ruled Out): We have verified that the project does not belong to an Organization and that, at the project level, there are no active policies restricting the creation or configuration of Cloud Run services.

  8. Billing Verification (Ruled Out): We have confirmed that the project's billing account (Firebase Payment) is active, in good standing, and correctly linked.

Conclusion and Question for the Community:

After an exhaustive investigation, we have ruled out all possible error causes related to user, GTM, and project configurations that are accessible through the console. All settings and permissions appear to be correct according to the official documentation. The creation operation continues to fail with a permission error that does not correspond to the assigned roles.

We are seeking help to diagnose why the Google Cloud platform is returning this error. We suspect it may be due to an anomalous state within the Homo Conscius APP project or a platform issue that is invisible to us as users.

Thank you for your attention.

0 1 53
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
knet
Staff
Reply posted on --/--/---- --:-- AM

Is the image in the same project as your project?

If not, there are some additional permissions you need on the image. Pasting from Gemini:
"To deploy container images to Cloud Run, you need to ensure the Cloud Run service agent has the necessary permissions to access the image in the container registry. This usually involves granting the Artifact Registry Reader role (roles/artifactregistry.reader) on the repository containing the image to the Cloud Run service agentIf the image is in a different project, you'll also need to grant this role to the service agent in that project, according to Google Cloud documentation. "

0 Likes
Top Solution Authors
View all