Configure access for Cloud Build Service Account

Cloud Build uses a special service account to execute builds on your behalf. When you enable the Cloud Build API on a Google Cloud project, the Cloud Build service account is automatically created and granted the Cloud Build Service Account role for the project. This role gives the service account permissions to perform several tasks, however you can grant more permissions to the service account to perform additional tasks. This page explains how to grant and revoke permissions to the Cloud Build service account.

Before you begin

Granting a role to the Cloud Build service account using the Settings page

You can grant certain commonly used IAM roles to the Cloud Build service account using the Cloud Build Settings page in the Google Cloud console:

  1. Open the Cloud Build Settings page:

    Open the Cloud Build Settings page

    You'll see the Service account permissions page:

    Screenshot of the Service account permissions page

  2. Set the status of the role you want to add to Enable.

Granting a role to the Cloud Build service account using the IAM page

If the role you want to grant is not listed in the Cloud Build Settings page in the Google Cloud console, use the IAM page to grant the role:

  1. Open the IAM page:

    Open the IAM page

  2. Select your Google Cloud project.

  3. Above the permissions table, select the Include Google-provided role grants checkbox.

    You'll see that more rows appear in the permissions table.

  4. In the permissions table, locate the row with the email address ending with @cloudbuild.gserviceaccount.com. This is your Cloud Build service account.

  5. Click the pencil icon.

  6. Select the role you want to grant to the Cloud Build service account.

  7. Click Save.

Revoking a role from the Cloud Build service account

  1. Open the IAM page:

    Open the IAM page

  2. Select your Google Cloud project.

  3. Above the permissions table, select the Include Google-provided role grants checkbox.

    You'll see that more rows appear in the permissions table.

  4. In the permissions table, locate the row with the email address ending with @cloudbuild.gserviceaccount.com. This is your Cloud Build service account.

  5. Click the pencil icon.

  6. Locate the role you want to revoke and click the delete trash can next to the role.

Granting a role to the Cloud Build service agent

In addition to the Cloud Build service account, Cloud Build has another Google-managed service account called the Cloud Build Service Agent that allows other Google Cloud services to access your resources. When you enable the Cloud Build API, the service agent is automatically created in the Google Cloud project. The service agent has the following format, where PROJECT_NUMBER is your project number.

     service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com

You can view the service agent for a project by going to the IAM page in the Google Cloud console page and selecting the Show google managed service accounts checkbox.

If you've accidentally deleted the Cloud Build service agent from your project, you can add it manually using the following steps:

Console

  1. Open the IAM page in the Google Cloud console:

    Open the IAM page

  2. Click Grant access.

  3. Add the following principal, where PROJECT_NUMBER is your project number:

    service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com
    
  4. Select Service Agents > Cloud Build Service Agent as your role.

  5. Click Save.

gcloud

Grant roles/cloudbuild.serviceAgent IAM role to the Cloud Build service agent:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com" \
    --role="roles/cloudbuild.serviceAgent"

Replace the placeholder values in the command with the following:

  • PROJECT_ID: The project ID
  • PROJECT_NUMBER: The project number

What's next