I'm attempting to get a Node project setup on Google Cloud Run with Cloud Storage. I am running into an authentication issue when using a created Service Account.
When creating the service account I did successfully download the JSON token and got everything running correctly in my local development environment.
The issue is when I have the application deployed successfully to Cloud Run I get the following error:
Error: The caller does not have permission
This occurs when I am attempting to get a signed URL for uploading files to a Storage Bucket.
I create the Storage client like this:
const { Storage } = require("@google-cloud/storage");
const storage = new Storage();
...and further down in my script the call is like this:
const [url] = await storage
.bucket(bucketName)
.file(filename)
.getSignedUrl(options);
I have setup the the following permissions for the IAM Service Account:
Just to confirm, the application runs 100% correctly locally using the Service Account JSON Key, it's just not working when running in the Google Cloud.
I managed to resolve the issue. It looks like when deployed into Cloud Run it also requires the extra permission "Service Account Token Creator" to run getSignedUrl. Locally for some reason this role is not required.
I'm not sure if this mismatch needs further investigation?
From https://cloud.google.com/iam/docs/service-accounts#token-creator-role:
The Service Account Token Creator role
This role enables impersonation of service accounts to create OAuth2 access tokens, sign blobs, or sign JWTs.
We use signBlob to create signatures for signed URLs, so this role would be required.
Your local credentials (service account or application default credentials) might include wide roles that covers this permission so that could explain the difference.
Which user did you add these permissions to?
Closing due to inactivity. Please re-open if this is still an issue
Which user did you add these permissions to?
In my case
[project_number]@cloudbuild.gserviceaccount.com
[project_number]@cloudservices.gserviceaccount.com
Which user did you add these permissions to?
In general it needs to be added to the Service Account the Cloud Run Service/Revision is running under.
By default it is the Default compute service account
Most helpful comment
I managed to resolve the issue. It looks like when deployed into Cloud Run it also requires the extra permission "Service Account Token Creator" to run
getSignedUrl. Locally for some reason this role is not required.I'm not sure if this mismatch needs further investigation?