Integration between Jenkins and GCP service account, 403 forbidden
2025/4/12 update:
- Tried to put all terraform related command along with Authentication Stage and it worked, why?
- repo for reference
...
stage('Configure GCP Authentication') {
steps {
withCredentials([file(credentialsId: 'gcp-sa-dev', variable: 'GOOGLE_APPLICATION_CREDENTIALS')]) { // Ensure 'gcp-sa-dev' is your Credential ID in Jenkins
sh 'gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS'
sh 'gcloud config set project $GCP_PROJECT_ID'
echo "GCP Authentication Configured as: ${SERVICE_ACCOUNT_EMAIL}"
sh 'terraform init -backend-config="bucket=${TF_STATE_BUCKET}" -migrate-state'
sh 'terraform validate'
sh 'terraform plan -out=tfplan'
archiveArtifacts artifacts: 'tfplan'
input message: 'Approve Terraform Apply to Production?', ok: 'Proceed with Apply'
sh 'terraform apply tfplan'
}
}
}
...
2025/4/11 update:
- I tried to change to another service account and grant more accesses as suggested:
- The result is the same:
+ gcloud config set account jenkins-cicd-dev@open-data-v2-cicd.iam.gserviceaccount.com
Updated property [core/account].
+ terraform init -backend-config=bucket=terraform-state-bucket-project-data-sharing -migrate-state
[0m[1mInitializing the backend...[0m
[31m╷[0m[0m
[31m│[0m [0m[1m[31mError: [0m[0m[1mError loading state: writing "gs://terraform-state-bucket-project-data-sharing/terraform/state/default.tflock" failed: googleapi: Error 403: Access denied., forbidden
[31m│[0m [0mstorage: object doesn't exist[0m
[31m│[0m [0m
[31m│[0m [0m[0m
[31m╵[0m[0m
- Then I tried to upload a file to the bucket using the same sa on gcloud, it works fine on gcloud:
Your Cloud Platform project in this session is set to open-data-v2-cicd.
Use `gcloud config set project [PROJECT_ID]` to change to a different project.
shihwenwutw@cloudshell:~ (open-data-v2-cicd)$ gcloud auth activate-service-account jenkins-cicd-dev@open-data-v2-cicd.iam.gserviceaccount.com \
--key-file=sa-key-3.json
Activated service account credentials for: [jenkins-cicd-dev@open-data-v2-cicd.iam.gserviceaccount.com]
shihwenwutw@cloudshell:~ (open-data-v2-cicd)$ gcloud auth list
Credentialed Accounts
ACTIVE: *
ACCOUNT: jenkins-cicd-dev@open-data-v2-cicd.iam.gserviceaccount.com
ACTIVE:
ACCOUNT: xxx@gmail.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
shihwenwutw@cloudshell:~ (open-data-v2-cicd)$ gsutil ls gs://terraform-state-bucket-project-data-sharing/
shihwenwutw@cloudshell:~ (open-data-v2-cicd)$ echo "This is a test file from Jenkins SA." > dummy.txt
shihwenwutw@cloudshell:~ (open-data-v2-cicd)$ gcloud storage cp dummy.txt gs://terraform-state-bucket-project-data-sharing/terraform/state/test-upload.txt
Copying file://dummy.txt to gs://terraform-state-bucket-project-data-sharing/terraform/state/test-upload.txt
Completed files 1/1 | 37.0B/37.0B
- As above testing, looks like the issue is not service account from GCP, it's something on Jenkins side?
- here is my GitHub repo
Original post
I am trying to set up a datapipline which:
- when updating the terraform on the GitHub repo, Jenkins Pipeline would be triggered and deploy the changes to the resources on GCP project.
What I have done:
- I have set up Jenkins (ver. 2.492.3) on GCP VM, connecting it with Github by webhook.
- The pipeline would trigger if the repo is updated.
Issue I encountered:
- The log keep showing
403 forbiddenfor the service account I used.
+ terraform init -backend-config=bucket=terraform-state-bucket--data-sharing
[0m[1mInitializing the backend...[0m
[31m╷[0m[0m
[31m│[0m [0m[1m[31mError: [0m[0m[1mError loading state: writing "gs://terraform-state-bucket--data-sharing/terraform/state/default.tflock" failed: googleapi: Error 403: Access denied., forbidden
[31m│[0m [0mstorage: object doesn't exist[0m
[31m│[0m [0m
[31m│[0m [0m[0m
[31m╵[0m[0m
- I have granted the role for
Storage admin
- The Account used is correct (
data-sharing-jenkins...)
+ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
443305306906-compute@developer.gserviceaccount.com
* data-sharing-jenkins-tf-dev@open-data-v2-cicd.iam.gserviceaccount.com
jenkins-cicd-dev@open-data-v2-cicd.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
[Pipeline] sh
+ gcloud config list
[core]
account = data-sharing-jenkins-tf-dev@open-data-v2-cicd.iam.gserviceaccount.com
disable_usage_reporting = True
project = open-data-v2-cicd
Your active configuration is: [default]
- The
main.tffile that created the bucket
terraform {
backend "gcs" {
bucket = "terraform-state-bucket--data-sharing"
prefix = "terraform/state"
region = "asia-east1"
}
}
resource "google_storage_bucket" "my-bucket" {
name = "test-githubdemo-bucket-001"
project = "open-data-v2-cicd"
location = "asia-east1"
force_destroy = true
public_access_prevention = "enforced"
}
The backend bucket is already created:
Here is the Jenkins Pipeline script:
pipeline {
agent any
tools {
terraform 'Terraform-v1.11.3'
}
environment {
GCP_PROJECT_ID = 'open-data-v2-cicd'
TF_STATE_BUCKET = 'terraform-state-bucket--data-sharing'
GCP_REGION = 'asia-east1'
SERVICE_ACCOUNT_EMAIL = 'jenkins-cicd-dev@open-data-v2-cicd.iam.gserviceaccount.com'
}
stages {
stage('Checkout Code') {
steps {
checkout scm
}
}
stage('Configure GCP Authentication') {
steps {
withCredentials([file(credentialsId: 'gcp-sa-dev', variable: 'GOOGLE_APPLICATION_CREDENTIALS')]) {
sh 'gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS'
sh 'gcloud config set project $GCP_PROJECT_ID'
sh 'gcloud auth list'
sh 'gcloud config list'
}
}
}
stage('Terraform Init') {
steps {
sh 'terraform init -backend-config="bucket=${TF_STATE_BUCKET}"'
}
}
stage('Terraform Validate') {
steps {
sh 'terraform validate'
}
}
stage('Terraform Plan') {
steps {
sh 'terraform plan -out=tfplan'
// Optionally, archive the plan file as an artifact for review
archiveArtifacts artifacts: 'tfplan'
}
}
stage('Terraform Apply') {
steps {
// For automated apply (e.g., for dev/staging)
// sh 'terraform apply tfplan'
// For main/prod pipeline, consider manual approval step before apply
input message: 'Approve Terraform Apply to Production?', ok: 'Proceed with Apply'
// Check if Jenkins is using correct SA
sh 'gcloud auth list'
sh 'gcloud config list'
sh 'terraform apply tfplan'
}
}
}
post {
failure {
script {
echo "Terraform Pipeline Failed!"
// Add notifications (e.g., email, Slack) here if needed
}
}
success {
script {
echo "Terraform Pipeline Succeeded!"
// Add notifications here if needed
}
}
}
}
- I have stuck here for a while, not sure why the service account is not working in my case, anything I missed? Thx.
Solution
The issue solved after adding following in the environment, the credential can be used in all stages automatically
GOOGLE_APPLICATION_CREDENTIALS = credentials('gcp-sa-dev')
pipeline {
agent any
tools {
terraform 'Terraform-v1.11.3'
}
environment {
GCP_PROJECT_ID = 'open-data-v2-cicd'
TF_STATE_BUCKET = 'terraform-state-bucket-project-data-sharing'
GCP_REGION = 'asia-east1'
SERVICE_ACCOUNT_EMAIL = 'jenkins-tf-dev@open-data-v2-cicd.iam.gserviceaccount.com'
GOOGLE_APPLICATION_CREDENTIALS = credentials('gcp-sa-dev') //<-------
}
...
- How to fix CloudRun error 'The request was aborted because there was no available instance'
- Google Cloud Datastore Authentication on Windows 10
- Google Artifact Registry: Unable to publish package with the same version even after package deletion
- How to fix an apparently expired refresh token?
- Firebase phone auth returns: An internal error has occurred. [ Error code:39 ]
- Google Cloud Platform credentials page not loading
- How can I access users GA4 data using service account without adding service email as a user
- Google VM RAM for Minecraft Server
- Can or How to use Python asyncio on Google Cloud Functions?
- Cannot SSH into the GCP VM instances that used to work
- Integration between Jenkins and GCP service account, 403 forbidden
- How can I see request count (not rate) for a Google Cloud Run application?
- When the Cloudsql restarted, all the Cloudrun service stops working
- pgAudit not logging anything in GCP Cloud SQL
- Vertex AI feature store vs BigQuery
- Deployment to App Engine fails only when triggered from GitHub Actions
- Authenticate to Google Language API using API Key for REST based web app
- External test access to an unpublished Editor Addon in Google Workspace Marketplace
- Is it possible to pull regional secrets from GCP into Cloud Build config file?
- set log severity on google cloud without using google-cloud-logging library
- Deploy new container revision to Cloud Run without changing Terraform
- Google Service account authentication for API call using python
- Make requests to Google API with Python
- How do I run a single, one time run file in cloudrun, I do not care about web at all
- GCP Committed Usage Discount(CUD) Utilization REST API
- How to efficiently query BigQuery external table (Bigtable) using keys from a smaller table
- Grant access on BigQuery based on table prefix
- Artifact Registry Cleanup Policies not being enforced
- Default GCP IAM roles from Firebase
- How to Generate a Signed URL for storage bucket in Terraform without providing credentials