Cloud Build service account

Cloud Build uses a special service account to execute builds on your behalf. The email for the Cloud Build service account is [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com. By default, Cloud Build service account has permissions for performing several tasks such as fetching code from your project's Cloud Source Repositories or writing objects to any Cloud Storage bucket owned by your project.

This page explains all the permissions that the Cloud Build service account has by default. To learn how to grant or revoke permissions to the Cloud Build service account, see Configuring access for Cloud Build service account.

Default permissions of Cloud Build service account

When you enable the Cloud Build API for a Cloud project, the Cloud Build service account is automatically created in the project and is granted the Cloud Build Service Account role for the resources in the project. This role contains a number of permissions, such as the ability to update builds or write logs. The service account uses these permissions only as required to perform actions when executing your build. For example, the service account uses the source.repos.get permission to fetch code from your Cloud Source Repositories if the source code for your build is in the Cloud Source Repositories. If you don't plan to perform an action as part of the build process, we recommend that you revoke the corresponding permission from the Cloud Build service account to comply with the security principle of least privilege.

The following table lists the permissions that the Cloud Build service account role contains and the purpose for which the Cloud Build service account uses these permissions.

Permission Description Purpose of the permission
cloudbuild.builds.create Can create builds and triggers Required to:
  • Use build triggers.
  • Create, list, get, or cancel builds.
cloudbuild.builds.update Can update builds and triggers
cloudbuild.builds.list Can list builds and triggers
cloudbuild.builds.get Can get a build and a trigger
storage.buckets.create Can create Cloud Storage buckets Required to:
  • Store and get images in Container Registry.
  • Store and get artifacts in Cloud Storage.
  • Submit builds manually via gcloud builds submit.
  • Store build logs in user-created logs bucket.
storage.buckets.get Can get Cloud Storage buckets
storage.buckets.list Can list Cloud Storage buckets
storage.objects.list Can list Cloud Storage objects
storage.objects.update Can update Cloud Storage objects
storage.objects.create Can write Cloud Storage objects
storage.objects.delete Can delete Cloud Storage objects
storage.objects.get Can read Cloud Storage objects
artifactregistry.repositories.list Can list repositories in Artifact Registry Required to store and get artifacts in Artifact Registry.
artifactregistry.repositories.get Can get a repository from Artifact Registry
artifactregistry.repositories.downloadArtifacts Can download artifacts from a repository in Artifact Registry
artifactregistry.files.list Can list files in Artifact Registry
artifactregistry.files.get Can get files from Artifact Registry
artifactregistry.packages.list Can list packages in Artifact Registry
artifactregistry.packages.get Can get packages from Artifact Registry
artifactregistry.tags.list Can list tags in Artifact Registry
artifactregistry.tags.get Can get tags from Artifact Registry
artifactregistry.versions.list Can list versions in Artifact Registry
artifactregistry.versions.get Can get versions in Artifact Registry
logging.logEntries.create Can write logs Required to create build logs in Cloud Logging.
pubsub.topics.create Can create Pub/Sub topics Required to push build updates to Pub/Sub.
pubsub.topics.publish Can publish to Pub/Sub
resourcemanager.projects.get Can get project information Required to get project information and list projects.
resourcemanager.projects.list Can list projects
source.repos.get Can read source code from repositories in Cloud Source Repositories Required to:
  • Use Bitbucket and Cloud Source Repositories triggers.
  • Pull source code from Cloud Source Repositories.
source.repos.list Can list repositories in Cloud Source Repositories

Build triggers and Cloud Build service account

Build triggers use Cloud Build service account to execute builds. This could provide elevated build-time permissions to users who use triggers to start a build. Keep the following security implications in mind when using build triggers:

  • A user with no access to your Cloud project but with write access to the repository associated with build triggers in the project will have permissions to change the code being built.
  • Additionally, if you're using GitHub pull request triggers, any user with read access to the repository can submit a pull request, which may trigger a build that includes changes to the code in the pull request. You can disable this behavior by choosing the Comment control option when creating a GitHub pull request trigger. Selecting this option will ensure that the build is started only if a repository owner or a collaborator comments /gcbrun. For information on using Comment control with GitHub App triggers, see Creating GitHub App triggers.

What's next