google-cloud-functionsgoogle-cloud-buildgoogle-artifact-registry

GCP Cloud Functions Deployment Failing with ArtifactRegistry Error

Getting a really strange error when I try to deploy my cloud function in a particular project. I run

gcloud config set project <project>
gcloud functions deploy my_cf --entry-point start_process \
--gen2 \
--trigger-http \
--region europe-west1 \
--runtime python310 \
--service-account <service account name>@<project>.iam.gserviceaccount.com \
--no-allow-unauthenticated \
--source=./CloudFunction/

And my service account has what I would guess (based on the documentation) would be the necessary permissions and then some:

Artifact Registry Administrator
Cloud Functions Admin
Cloud Run Admin
Eventarc Event Receiver
Eventarc Service Agent
Pub/Sub Publisher
Service Account Token Creator
Storage Admin

However, I keep getting the error

OperationError: code=13, message=Build failed with status: FAILURE and message: An unexpected error occurred. Refer to build logs: https://console.cloud.google.com/cloud-build/builds;region=europe-west1/<build_id>?project=<project_number>

And when I check the Cloud Build Logs, I see error with message:

"Step #2 - "build": ERROR: failed to create image cache: accessing cache image 
"europe-west1-docker.pkg.dev/<project>/gcf-artifacts/my--cf/cache:latest": 
connect to repo store "europe-west1-docker.pkg.dev/<project>/gcf-artifacts/<my--cf>/cache:latest": 
GET https://europe-west1-docker.pkg.dev/v2/token?scope=repository%3A<project>%2Fgcf-artifacts%2Fmy--cf%2Fcache%3Apull&service=: 
DENIED: Permission "artifactregistry.repositories.downloadArtifacts" 
denied on resource "projects/<project>/locations/europe-west1/repositories/gcf-artifacts" 
(or it may not exist)"

I have tried changing permission for both myself and the service account, but nothing seems to matter. Additionally, I have done this exercise in other projects and not had this issue. Any ideas what is wrong?

Solution

  • Seems the issue is that Cloud Functions seems to force Cloud Build to use ${NUMBER}-compute@developer.gserviceaccount.com as the service account for its build jobs. The solution was to provide this service account with the artifactregistry.repositories.downloadArtifacts permission.