SLO Pipeline ServiceAccount Misses Storage Permissions
svenmueller opened this issue · 4 comments
After upgrading to module version v1.0.0, the CF slo-pipeline crashes with the following stracktrace:
Short
google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/slo-pipeline-6d9e0713ba72?projection=noAcl&prettyPrint=false: slo-pipeline@my-project.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket.
Full
slo-pipeline2om9asvy7k0r Traceback (most recent call last): File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker_v2.py", line 449, in run_background_function _function_handler.invoke_user_function(event_object) File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker_v2.py", line 268, in invoke_user_function return call_user_function(request_or_event) File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker_v2.py", line 265, in call_user_function event_context.Context(**request_or_event.context)) File "/user_code/main.py", line 23, in main exporters = download_gcs("gs://slo-pipeline-6d9e0713ba72/config/exporters.json") File "/user_code/main.py", line 53, in download_gcs bucket = storage_client.get_bucket(bucket) File "/env/local/lib/python3.7/site-packages/google/cloud/storage/client.py", line 361, in get_bucket if_metageneration_not_match=if_metageneration_not_match, File "/env/local/lib/python3.7/site-packages/google/cloud/storage/bucket.py", line 936, in reload if_metageneration_not_match=if_metageneration_not_match, File "/env/local/lib/python3.7/site-packages/google/cloud/storage/_helpers.py", line 210, in reload retry=DEFAULT_RETRY, File "/env/local/lib/python3.7/site-packages/google/cloud/storage/_http.py", line 63, in api_request return call() File "/env/local/lib/python3.7/site-packages/google/api_core/retry.py", line 286, in retry_wrapped_func on_error=on_error, File "/env/local/lib/python3.7/site-packages/google/api_core/retry.py", line 184, in retry_target return target() File "/env/local/lib/python3.7/site-packages/google/cloud/_http.py", line 435, in api_request raise exceptions.from_http_response(response) google.api_core.exceptions.Forbidden: 403 GET https://storage.googleapis.com/storage/v1/b/slo-pipeline-6d9e0713ba72?projection=noAcl&prettyPrint=false: slo-pipeline@my-project.iam.gserviceaccount.com does not have storage.buckets.get access to the Google Cloud Storage bucket.
-- Sven
The slo-pipeline bucket is using "Fine-grained" permissions with object-level ACLs enabled (by default only project owners, editors, viewers and the user who created the object have access). The used service account is not able to access the storage objects (like config/exporters.json) due to this.
It starts working when adding role Storage Legacy Bucket Reader + Storage Object Viewer to the SA used by slo-pipeline CF.
We are already adding those roles here: https://github.com/terraform-google-modules/terraform-google-slo/blob/master/modules/slo/iam.tf#L68
Do you have grant_iam_roles set to true ?
Ah sorry, it's the pipeline module that is missing it. Will make a PR !
@svenmueller 1.0.1 was released including this fix