[SOLVED] Failed to retrieve function source code when deploying a cloud function from a repository on a different project

Failed to retrieve function source code when deploying a cloud function from a repository on a different project

I am trying to deploy a Cloud Function from a Cloud Source Repository placed in a different project, but getting the following error: Failed to retrieve function source code (see full proto below).

Project-A contains the cloud function and service accounts listed below. Project-B contains the source repository.

I have successfully deployed the function on Project-B.

I've tried giving the following service accounts the Source Repository Administrator role on the cloud source repository, but that did not help.

{project_A_number}@cloudservices.gserviceaccount.com
{project_A_number}-compute@developer.gserviceaccount.com
{project_A_number}@cloudbuild.gserviceaccount.com
Project-A@appspot.gserviceaccount.com

I have also tried disabling the Cloud Functions API on Project-A and turning it back on again.

I am not sure what is going wrong - if anyone has a clue as to where to further look, I would appreciate it - thanks in advance!

The deployment creates two entries in monitoring - a NOTICE followed by an ERROR:

The ERROR log:

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {
      "code": 5,
      "message": "Failed to retrieve function source code"
    },
    "authenticationInfo": {
      "principalEmail": "***@***.**"
    },
    "serviceName": "cloudfunctions.googleapis.com",
    "methodName": "google.cloud.functions.v1.CloudFunctionsService.UpdateFunction",
    "resourceName": "projects/Project-A/locations/europe-west1/functions/pubsub-to-gcs"
  },
  "insertId": "-vmfbt4cd54",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "function_name": "pubsub-to-gcs",
      "region": "europe-west1",
      "project_id": "Project-A"
    }
  },
  "timestamp": "2021-10-20T12:21:45.352043Z",
  "severity": "ERROR",
  "logName": "projects/Project-A/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "id": "operations/cm9ldHotbGlmZS1kYXRhLXRlc3QvZXVyb3BlLXdlc3QxL3B1YnN1Yi10by1nY3MvVEhFbUQtLTZITWM",
    "producer": "cloudfunctions.googleapis.com",
    "last": true
  },
  "receiveTimestamp": "2021-10-20T12:21:45.781856467Z"
}

The NOTICE log (logged right before the ERROR):

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "***@****.**"
    },
    "requestMetadata": {
      "callerIp": "35.205.252.75",
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/360.0.0 command/gcloud.functions.deploy invocation-id/917d697431e84b91bfa2bd9f9cc4f302 environment/devshell environment-version/None interactive/True from-script/False python/3.7.3 term/screen (Linux 5.4.144+),gzip(gfe),gzip(gfe)",
      "requestAttributes": {
        "time": "2021-10-20T12:21:44.909430Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "cloudfunctions.googleapis.com",
    "methodName": "google.cloud.functions.v1.CloudFunctionsService.UpdateFunction",
    "authorizationInfo": [
      {
        "resource": "projects/Project-A/locations/europe-west1/functions/pubsub-to-gcs",
        "permission": "cloudfunctions.functions.update",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "projects/Project-A/locations/europe-west1/functions/pubsub-to-gcs",
    "request": {
      "@type": "type.googleapis.com/google.cloud.functions.v1.UpdateFunctionRequest",
      "function": {
        "timeout": "60s",
        "status": "UNKNOWN",
        "serviceAccountEmail": "Project-A@appspot.gserviceaccount.com",
        "availableMemoryMb": 256,
        "name": "projects/Project-A/locations/europe-west1/functions/pubsub-to-gcs",
        "runtime": "python39",
        "labels": {
          "deployment-tool": "cli-gcloud"
        },
        "entryPoint": "pubsub-to-gcs",
        "updateTime": "2021-10-20T12:21:40.149Z",
        "sourceRepository": {
          "url": "https://source.developers.google.com/projects/Project-B/repos/my-repo/moveable-aliases/master/paths/my-folder"
        },
        "httpsTrigger": {},
        "ingressSettings": "ALLOW_ALL",
        "versionId": "1"
      },
      "updateMask": "eventTrigger,httpsTrigger,runtime,sourceRepository"
    },
    "resourceLocation": {
      "currentLocations": [
        "europe-west1"
      ]
    }
  },
  "insertId": "1xdbim3e16pgu",
  "resource": {
    "type": "cloud_function",
    "labels": {
      "function_name": "pubsub-to-gcs",
      "region": "europe-west1",
      "project_id": "Project-A"
    }
  },
  "timestamp": "2021-10-20T12:21:44.650257Z",
  "severity": "NOTICE",
  "logName": "projects/Project-A/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "id": "operations/cm9ldHotbGlmZS1kYXRhLXRlc3QvZXVyb3BlLXdlc3QxL3B1YnN1Yi10by1nY3MvVEhFbUQtLTZITWM",
    "producer": "cloudfunctions.googleapis.com",
    "first": true
  },
  "receiveTimestamp": "2021-10-20T12:21:45.832588036Z"
}

Solution

Turns out it wasn't an IAM issue: I've tried deploying the function from the UI, but that's not possible when deploying from a source repo in a different project.

Deploying using gcloud function deploy solved the issue.