Configuring access for Cloud Build Service Account

Cloud Build uses a special service account to execute builds on your behalf. When you enable the Cloud Build API on a Google Cloud project, the Cloud Build service account is automatically created and granted the Cloud Build Service Account role for the project. This role gives the service account permissions to perform several tasks, however you can grant more permissions to the service account to perform additional tasks. This page explains how to grant and revoke permissions to the Cloud Build service account.

Before you begin

Granting a role using the Settings page

You can grant certain commonly used IAM roles to the Cloud Build service account using the Cloud Build Settings page in the Cloud Console:

  1. Open the Cloud Build Settings page:

    Open the Cloud Build Settings page

    You'll see the Service account permissions page:

    Screenshot of the Service account permissions page

  2. Set the status of the role you wish to add to Enable.

Granting a role using the IAM page

If the role you want to grant is not listed in the Cloud Build Settings page in the Cloud Console, use the IAM page to grant the role:

  1. Open the IAM page:

    Open the IAM page

  2. Select your Cloud project.

  3. In the permissions table, locate the row with the email address ending with @cloudbuild.gserviceaccount.com. This is your Cloud Build service account.

  4. Click on the pencil icon.

  5. Select the role you wish to grant to the Cloud Build service account.

  6. Click Save.

Revoking a role

  1. Open the IAM page:

    Open the IAM page

  2. Select your Cloud project.

  3. In the permissions table, locate the row with the email address ending with @cloudbuild.gserviceaccount.com. This is your Cloud Build service account.

  4. Click on the pencil icon.

  5. Locate the role you want to revoke and click the delete trash can next to the role.

What's next