Cloud Build uses a special service account to execute builds on your
behalf. The email for the Cloud Build service account
is [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. By default, Cloud Build
service account has permissions for performing several tasks such as fetching
code from your project's Cloud Source Repositories or writing objects to any
Cloud Storage bucket owned by your project.
This page explains all the permissions that the Cloud Build service account has by default. To learn how to grant or revoke permissions to the Cloud Build service account, see Configuring access for Cloud Build service account.
Default permissions of Cloud Build service account
When you enable the Cloud Build API for a Cloud project, the
Cloud Build service account is automatically created in the project
and is granted the Cloud Build Service Account role for the resources
in the project. This role contains a number of permissions, such as the ability
to update builds or write logs. The service account uses these permissions only
as required to perform actions when executing your build. For example, the service
account uses the source.repos.get permission to fetch code from your
Cloud Source Repositories if the source code for your build is in the
Cloud Source Repositories. If you don't plan to perform an action as part of the
build process, we recommend that you revoke the corresponding permission from the
Cloud Build service account to comply with the
security principle of least privilege.
The following table lists the permissions that the Cloud Build service account role contains and the purpose for which the Cloud Build service account uses these permissions.
| Permission | Description | Purpose of the permission |
|---|---|---|
cloudbuild.builds.create |
Can create builds and triggers | Required to:
|
cloudbuild.builds.update |
Can update builds and triggers | |
cloudbuild.builds.list |
Can list builds and triggers | |
cloudbuild.builds.get |
Can get a build and a trigger | |
storage.buckets.create |
Can create Cloud Storage buckets | Required to:
|
storage.buckets.get |
Can get Cloud Storage buckets | |
storage.buckets.list |
Can list Cloud Storage buckets | |
storage.objects.list |
Can list Cloud Storage objects | |
storage.objects.update |
Can update Cloud Storage objects | |
storage.objects.create |
Can write Cloud Storage objects | |
storage.objects.delete |
Can delete Cloud Storage objects | |
storage.objects.get |
Can read Cloud Storage objects | |
artifactregistry.repositories.list |
Can list repositories in Artifact Registry | Required to store and get artifacts in Artifact Registry. |
artifactregistry.repositories.get |
Can get a repository from Artifact Registry | |
artifactregistry.repositories.downloadArtifacts |
Can download artifacts from a repository in Artifact Registry | |
artifactregistry.files.list |
Can list files in Artifact Registry | |
artifactregistry.files.get |
Can get files from Artifact Registry | |
artifactregistry.packages.list |
Can list packages in Artifact Registry | |
artifactregistry.packages.get |
Can get packages from Artifact Registry | |
artifactregistry.tags.list |
Can list tags in Artifact Registry | |
artifactregistry.tags.get |
Can get tags from Artifact Registry | |
artifactregistry.versions.list |
Can list versions in Artifact Registry | |
artifactregistry.versions.get |
Can get versions in Artifact Registry | |
logging.logEntries.create |
Can write logs | Required to create build logs in Cloud Logging. |
pubsub.topics.create |
Can create Pub/Sub topics | Required to push build updates to Pub/Sub. |
pubsub.topics.publish |
Can publish to Pub/Sub | |
resourcemanager.projects.get |
Can get project information | Required to get project information and list projects. |
resourcemanager.projects.list |
Can list projects | |
source.repos.get |
Can read source code from repositories in Cloud Source Repositories | Required to:
|
source.repos.list |
Can list repositories in Cloud Source Repositories |
Build triggers and Cloud Build service account
Build triggers use Cloud Build service account to execute builds. This could provide elevated build-time permissions to users who use triggers to start a build. Keep the following security implications in mind when using build triggers:
- A user with no access to your Cloud project but with write access to the repository associated with build triggers in the project will have permissions to change the code being built.
- Additionally, if you're using GitHub pull request triggers, any user with
read access to the repository can submit a pull request, which may trigger a
build that includes changes to the code in the pull request. You can disable
this behavior by choosing the Comment control option when creating a
GitHub pull request trigger. Selecting this option will ensure that the build
is started only if a repository owner or a collaborator comments
/gcbrun. For information on using Comment control with GitHub App triggers, see Creating GitHub App triggers.
What's next
- Learn about user-specified service accounts.
- Learn about configure access for the Cloud Build service account.
- Learn about configure access for project members.
- Learn about the permissions required to view build logs.