Cloud Build uses a special service account to execute builds on your behalf. When you enable the Cloud Build API on a Google Cloud project, the Cloud Build service account is automatically created and granted the Cloud Build Service Account role for the project. This role gives the service account permissions to perform several tasks, however you can grant more permissions to the service account to perform additional tasks. This page explains how to grant and revoke permissions to the Cloud Build service account.
Before you begin
- Understand Cloud Build roles and permissions.
- Read Cloud Build service account.
Granting a role to the Cloud Build service account using the Settings page
You can grant certain commonly used IAM roles to the Cloud Build service account using the Cloud Build Settings page in the Google Cloud console:
Open the Cloud Build Settings page:
Open the Cloud Build Settings page
You'll see the Service account permissions page:
Set the status of the role you wish to add to Enable.
Granting a role to the Cloud Build service account using the IAM page
If the role you want to grant is not listed in the Cloud Build Settings page in the Google Cloud console, use the IAM page to grant the role:
Open the IAM page:
Select your Google Cloud project.
In the permissions table, locate the row with the email address ending with
@cloudbuild.gserviceaccount.com. This is your Cloud Build service account.Click on the pencil icon.
Select the role you wish to grant to the Cloud Build service account.
Click Save.
Revoking a role from the Cloud Build service account
Open the IAM page:
Select your Google Cloud project.
In the permissions table, locate the row with the email address ending with
@cloudbuild.gserviceaccount.com. This is your Cloud Build service account.Click on the pencil icon.
Locate the role you want to revoke and click the delete trash can next to the role.
Granting a role to the Cloud Build service agent
In addition to the Cloud Build service account, Cloud Build
has another Google-managed service account called the Cloud Build Service Agent
that allows other Google Cloud services to access your resources. When you
enable the Cloud Build API, the service agent is automatically created
in the Google Cloud project. The service agent has the following format, where
PROJECT_NUMBER is your project number.
service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com
You can view the service agent for a project by going to the IAM page in the Google Cloud console page and selecting the Show google managed service accounts checkbox.
If you've accidentally deleted the Cloud Build service agent from your project, you can add it manually using the following steps:
Console
Open the IAM page in the Google Cloud console:
Click Grant access.
Add the following principal, where
PROJECT_NUMBERis your project number:service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.comSelect Service Agents > Cloud Build Service Agent as your role.
Click Save.
gcloud
Grant roles/cloudbuild.serviceAgent IAM role to the
Cloud Build service agent:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com" \
--role="roles/cloudbuild.serviceAgent"
Replace the placeholder values in the command with the following:
PROJECT_ID: The project IDPROJECT_NUMBER: The project number
What's next
- Learn about user-specified service accounts.
- Learn about service accounts in depth.
- Learn about configuring access to Cloud Build resources.
- Learn about the permissions required to view build logs.