Setting Service Account Permissions

This page explains how the Container Builder service account works, and how to grant the service account access to other projects.

What is the Container Builder service account?

Container Builder executes your builds using a service account, a special Google account that executes builds on your behalf. The email for the Container Builder service account is [YOUR_PROJECT_ID]@cloudbuild.gserviceaccount.com, where [YOUR_PROJECT_ID] is your numeric Google Cloud Platform project ID.

You can view your project's service accounts via the IAM menu of the GCP Console.

When you enable the Container Builder API, the service account is automatically created and granted the Cloud Container Builder role for your project. This role is sufficient for several tasks, including:

  • Fetching code from your project's Cloud Source Repository
  • Downloading files from a Cloud Storage bucket owned by your project
  • Saving build logs in Cloud Logging
  • Pushing Docker images to Container Registry
  • Pulling base images from Container Registry

The service account performs these actions only as required to execute your build. For example, the service account does not fetch code from your Cloud Source Repository unless you instruct it to do so.

Granting additional access

The service account's default permissions do not allow the account to perform certain actions, such as deploying to App Engine or managing Compute Engine or Kubernetes Engine resources.

You can enable your service account to perform these actions by granting the account additional IAM roles. Use the IAM & Admin section in the Google Cloud Platform Console and add the appropriate roles to the service account's list of roles.

Pull private images from other Google Cloud Platform projects

You can grant permissions to pull private images from another Cloud Platform project, provided that the service account has access to the project. For example, you might want to execute a build in Project A that can pull images from Project B.

To grant your service account these permissions, run the following commands in your shell or terminal window:

PROJECT_NUM_A=[PROJECT_NUMBER_FOR_A]
PROJECT_ID_B=[PROJECT_ID_FOR_B]
gsutil acl ch -r -u $PROJECT_NUM_A@cloudbuild.gserviceaccount.com:R gs://artifacts.$PROJECT_ID_B.appspot.com
gsutil acl ch    -u $PROJECT_NUM_A@cloudbuild.gserviceaccount.com:R gs://artifacts.$PROJECT_ID_B.appspot.com
gsutil defacl ch -u $PROJECT_NUM_A@cloudbuild.gserviceaccount.com:R gs://artifacts.$PROJECT_ID_B.appspot.com

Push private images to other Google Cloud Platform projects

You can grant permissions to push private images to another Cloud Platform another project, provided that the service account has access to the project. For example, you might want to execute a build in Project A that can push images to Project B.

To grant your service account these permissions, run the following commands in your shell or terminal window:

PROJECT_NUM_A=[PROJECT_NUMBER_FOR_A]
PROJECT_ID_B=[PROJECT_ID_FOR_B]
gsutil acl ch -r -u $PROJECT_NUM_A@cloudbuild.gserviceaccount.com:W gs://artifacts.$PROJECT_ID_B.appspot.com
gsutil acl ch    -u $PROJECT_NUM_A@cloudbuild.gserviceaccount.com:W gs://artifacts.$PROJECT_ID_B.appspot.com
gsutil defacl ch -u $PROJECT_NUM_A@cloudbuild.gserviceaccount.com:W gs://artifacts.$PROJECT_ID_B.appspot.com

Troubleshooting

If you find 403 (access denied) errors in your build logs, try the following steps:

  • Disable the Container Builder API and re-enable it. Doing so should give your service account access to your project again.
  • Run the above commands again.

What's next

Send feedback about...

Cloud Container Builder