This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Unable to Create Cloud Run Service Due to Generic Permission Error Despite Owner Role

Posted a week ago
Fjsm
New Member
Reply posted on --/--/---- --:-- AM

Case Title: Unable to Create Cloud Run Service Due to Generic Permission Error Despite Owner Role

Product: Cloud Run Priority: High (Operation Blocked)

Problem Summary:

We are attempting to create a new Cloud Run service in the project Homo Conscius APP (ID: paselo-la-vida) to host a Google Tag Manager Server-Side container. The operation consistently fails with a generic error message: "The operation failed due to a lack of permissions". This occurs despite the user performing the operation (PII Removed by Staff) holding the Owner, Cloud Run Admin, and Service Account User roles for the project. We have systematically verified and ruled out all common configuration causes, suggesting a potential anomalous project state or an internal platform issue.

Environment Information:

  • Google Cloud Project: Homo Conscius APP

  • Project ID: paselo-la-vida

  • Principal performing the operation: (PII Removed by Staff)

  • Service to be created: Cloud Run

  • Deployment Region: europe-southwest1 (Madrid)

  • Container Image to Deploy: gcr.io/cloud-tagging-101/gtm-cloud-run-image:stable

Ultimate Goal:

The objective is to deploy a tagging server for Google Tag Manager Server-Side using the official Google image. The final service configuration must allow unauthenticated invocations to receive tracking data (events) from web browsers over the internet, for subsequent forwarding to third-party APIs such as the Meta Conversions API.

Diagnostic Steps Performed & Obstacles Encountered (Detailed Chronology):

An exhaustive debugging process has been performed to isolate the cause of the error:

  1. Initial GTM Conflict (Resolved): A conflict was detected and resolved in Google Tag Manager where an old, auto-provisioned server container (GTM-M7JJKG98) was causing errors. A new, clean container (Sendasavia Server V2, ID: GTM-5H9C6Q08) was created, and the existing configuration was imported. This GTM issue is now resolved.

  2. Auto-provisioning Failure (First Obstacle): An attempt was made to use the "Automatically provision tagging server" feature from the new GTM V2 container. The operation failed with a generic error, forcing us to proceed with the manual creation of the service directly in Cloud Run.

  3. Manual Creation Failure (Specific Permission Error): The first manual creation attempt failed with the specific error: Permission 'iam.serviceAccounts.actAs' denied.

  4. Corrective Action 1 (Service Account User Role): To resolve the previous error, the Service Account User role was assigned to the principal (PII Removed by Staff) Despite this, the creation error persisted, though it changed to the more generic message: "The operation failed due to a lack of permissions."

  5. Corrective Action 2 (Cloud Run Admin Role): Based on official documentation, the Cloud Run Admin role was also added to the principal (PII Removed by Staff), in addition to the Owner and Service Account User roles it already possessed. The generic permission error continues to occur.

  6. Project API Verification (Ruled Out): We have explicitly verified that the following essential APIs are ENABLED in the Homo Conscius APP project:

    • Cloud Run Admin API

    • Artifact Registry API

    • Cloud Build API

  7. Organization Policy Verification (Ruled Out): We have verified that the project does not belong to an Organization and that, at the project level, there are no active policies restricting the creation or configuration of Cloud Run services.

  8. Billing Verification (Ruled Out): We have confirmed that the project's billing account (Firebase Payment) is active, in good standing, and correctly linked.

Conclusion and Question for the Community:

After an exhaustive investigation, we have ruled out all possible error causes related to user, GTM, and project configurations that are accessible through the console. All settings and permissions appear to be correct according to the official documentation. The creation operation continues to fail with a permission error that does not correspond to the assigned roles.

We are seeking help to diagnose why the Google Cloud platform is returning this error. We suspect it may be due to an anomalous state within the Homo Conscius APP project or a platform issue that is invisible to us as users.

Thank you for your attention.

0 2 89
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
knet
Staff
Reply posted on --/--/---- --:-- AM

Is the image in the same project as your project?

If not, there are some additional permissions you need on the image. Pasting from Gemini:
"To deploy container images to Cloud Run, you need to ensure the Cloud Run service agent has the necessary permissions to access the image in the container registry. This usually involves granting the Artifact Registry Reader role (roles/artifactregistry.reader) on the repository containing the image to the Cloud Run service agentIf the image is in a different project, you'll also need to grant this role to the service agent in that project, according to Google Cloud documentation. "

0 Likes

Posted on --/--/---- --:-- AM
nmagcalengjr
Staff
Reply posted on --/--/---- --:-- AM

Hi @Fjsm,

Welcome to Google Cloud Community! 

Here’s a quick guide to help you investigate the issue:

  1. Check the Service Accounts:
  • Confirm which service account is being used. Typically the Compute Engine default unless a user-managed one is specified. Ensure it has the necessary roles such as roles/run.invoker, roles/run.viewer, and roles/artifactregistry.reader, and that the deploying principal has roles/iam.serviceAccountUser on it. 
  • You can test permissions by temporarily assigning roles/editor to isolate issues. Also, make sure the Cloud Build service account has permission to impersonate the selected service account. Use gcloud iam service-accounts list and describe to verify roles and spot misconfigurations.
  1. Platform Outage or Regional Issues:
  • Check the Google Cloud Status Dashboard for any incidents or outages affecting Cloud Run, particularly in the europe-southwest1 (Madrid) region. Even if no current issues are reported, a recent outage might have caused residual inconsistencies in the infrastructure. Additionally, review your Cloud Run quotas in that region, such as CPU seconds, concurrent instances and total services to ensure resource limits aren't causing the issue.
  • Try a Different Region: Attempt to deploy the Cloud Run service in a different region (e.g., us-central1 or europe-west1) as a test. If the deployment succeeds in another region, it likely indicates a regional issue specific to europe-southwest1
  1. Cloud Logs & Error Reporting for Advanced Debugging:
  • Cloud Logging: Use Cloud Logging to investigate further by filtering logs with resource types like cloud_run_revision, cloud_run_service, and cloudbuild.googleapis.com/Build, along with the deploying principal's email. Look for any permission-related errors or failed API calls, logs often reveal the root cause behind Cloud Run deployment issues.
  • Cloud Error Reporting: Check Google Cloud Error Reporting for any unhandled errors that occurred during the Cloud Run service creation. It may provide more detailed context than the UI, especially for pinpointing permission-related issues.

If you need further assistance with your project, feel free to reach out to Google Cloud Support at any time.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all