Google Cloud Platform – Cloud Run Service Account Permission Issue

google-cloud-platformgoogle-cloud-storagejava

I'm working on a program that will run on Google Cloud Run and has files stored in Google Cloud storage.

The problem I'm experiencing happens when attempting to generate a signed URL to download a file from Cloud storage that is usually private. On my local machine it works fine, but when running in Cloud Run it does not.

Locally I am using a service account that has the Storage Object Admin role assigned to it. I load the permissions using an environment variable called GOOGLE_APPLICATION_CREDENTIALS with in its value the absolute path to the key .json file I downloaded from the cloud console.

On Cloud Run, I granted the same role to the service account that the service runs as. However, when I attempt to sign anything on there, I get an exception:

java.io.IOException: Error code 403 trying to sign provided bytes: The caller does not have permission

In my code I don't explicitly select any service account since the SDK documentation makes me believe this is done automatically. In Cloud Run I do not have a GOOGLE_APPLICATION_CREDENTIALS variable set because I thought this was also done automatically.

What confuses me is that the application running in Cloud Run can still upload files to Cloud Storage fine, so this makes me think it does have some form of credentials from somewhere.

What am I doing wrong?

Best Answer

TL;DR: Make sure the service account has the iam.serviceAccounts.signBlob permission.

After further investigating the method I used to acquire credentials on Cloud Run:

GoogleCredentials credentials = ComputeEngineCredentials.create();
Storage storage = StorageOptions.newBuilder().setCredentials(credentials).build().getService();

I read the javadoc for ComputeEngineCredentials:

OAuth2 credentials representing the built-in service account for a Google Compute Engine VM. Fetches access tokens from the Google Compute Engine metadata server. These credentials use the IAM API to sign data. See sign(byte[]) for more details.

After this I read the javadoc for sign(byte[]) (emphasis mine):

Signs the provided bytes using the private key associated with the service account. The Compute Engine's project must enable the Identity and Access Management (IAM) API and the instance's service account must have the iam.serviceAccounts.signBlob permission.

As such, I created a new role with just the iam.serviceAccounts.signBlob permission and assigned it to the service account that my Cloud Run configuration uses. After this, the issue immediately went away (no need to redeploy)

Related Solutions

How to modify the existing access scope of a Google Cloud Platform service account

I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.

i.e.

https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization

If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.

i.e.

gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"

If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.

How to Completely Logout of Google Cloud

I'm not sure if this will help you in any way but I ran into a similar issue. Once I had revoked the all credentials using the command "gcloud auth revoke --all" I was still able the execute scripts against my environment. In the end, I found the application default credentials file locating in ~/.config/gcloud/application_default_credentials.json. Renaming / Deleting this file help to remove the client library's ability to the authentication. I no get the follow

  File "audit_test.py", line 8, in main
    client = resource_manager.Client()
  File "fake_path/python3.7/site-packages/google/cloud/resource_manager/client.py", line 72, in __init__
    super(Client, self).__init__(credentials=credentials, _http=_http)
  File "fake_path/python3.7/site-packages/google/cloud/client.py", line 132, in __init__
    credentials, _ = google.auth.default()
  File "fake_path/python3.7/site-packages/google/auth/_default.py", line 321, in default
    raise exceptions.DefaultCredentialsError(_HELP_MESSAGE)
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started

Best Answer

Related Solutions

How to modify the existing access scope of a Google Cloud Platform service account

How to Completely Logout of Google Cloud

Related Topic