Problem:

I am trying to set up a CI/CD pipeline in Google Cloud Platform using Cloud Build with a GitHub trigger. However, when I attempt to trigger the build using the Cloud Build trigger, I get the following error:

Failed to trigger build: Permission 'cloudbuild.builds.create' denied on resource 'projects/00000045af180780' (or it may not exist)

It seems that the trigger is correctly detected, but it is trying to access the wrong project (00000045af180780), which is a mix of numbers and alphanumeric characters, instead of the intended project (example-project), causing the build to fail.

Despite having the correct IAM permissions for the service account, I am unable to resolve this issue.

Context:

I am using a custom cloudbuild.yaml file to build and deploy my Docker container to Cloud Run.
I am able to successfully deploy manually using the gcloud CLI, which works without any issues.

And here is the detailed cloudbuild.yaml file that I used.

steps:
  - name: 'gcr.io/cloud-builders/docker'
    id: Build Docker image
    args:
      - 'build'
      - '-t'
      - 'example-region-docker.pkg.dev/example-project/cloud-run-source-deploy/example-service'
      - '.'  

  - name: 'gcr.io/cloud-builders/docker'
    id: Push Docker image
    args:
      - 'push'
      - 'example-region-docker.pkg.dev/example-project/cloud-run-source-deploy/example-service'

  - name: 'gcr.io/cloud-builders/gcloud'
    id: Deploy to Cloud Run
    args:
      - 'run'
      - 'deploy'
      - 'example-service'  
      - '--image=example-region-docker.pkg.dev/example-project/cloud-run-source-deploy/example-service'  
      - '--platform=managed'
      - '--region=example-region'  
      - '--allow-unauthenticated'  

timeout: '1200s'  

IAM Permissions:

The service account I'm using has the following roles:

Cloud Build Editor
Cloud Run Admin
Cloud Run Invoker
Artifact Registry Administrator
Storage Admin
Cloud Build WorkerPool Owner
Other roles related to Cloud Run, Artifact Registry, and Cloud Functions.

Trigger Configuration:

I have set up a GitHub trigger with the following parameters:

branch-pattern: ^main$
build-config: cloudbuild.yaml

The trigger works when pushing to the main branch, but as stated, it attempts to use the wrong project ID (mix of numbers and alphanumeric characters) instead of the correct one (example-project).

Issue:

I am not sure why the error mentions a different project ID instead of the correct project. Even though my gcloud config is set to the correct project, it seems Cloud Build is referencing the wrong project during the trigger execution.

Questions:

How can I resolve the PERMISSION_DENIED issue, where Cloud Build seems to be using the wrong project ID?
What additional IAM roles or permissions do I need to verify for the service account involved in the trigger execution?
How can I ensure that the Cloud Build trigger correctly references the right project ID in the Cloud Build console?

Any help in identifying the root cause of this issue would be greatly appreciated!

• I confirmed the service account has all required roles, including Cloud Build Editor, Cloud Run Admin, and Cloud Run Invoker.
• I checked my IAM roles and confirmed they align with the necessary permissions for Cloud Build and Cloud Run.
• I tried re-creating the Cloud Build trigger and ensured the webhook from GitHub is correctly set up.
• I've also ensured that gcloud config list shows the correct project.

I encountered a similar issue to this one on StackOverflow google cloud run Failed to trigger build: Permission 'cloudbuild.builds.create' denied but I haven't found a solution that works for me.

Problem:

I am trying to set up a CI/CD pipeline in Google Cloud Platform using Cloud Build with a GitHub trigger. However, when I attempt to trigger the build using the Cloud Build trigger, I get the following error:

Failed to trigger build: Permission 'cloudbuild.builds.create' denied on resource 'projects/00000045af180780' (or it may not exist)

It seems that the trigger is correctly detected, but it is trying to access the wrong project (00000045af180780), which is a mix of numbers and alphanumeric characters, instead of the intended project (example-project), causing the build to fail.

Despite having the correct IAM permissions for the service account, I am unable to resolve this issue.

Context:

I am using a custom cloudbuild.yaml file to build and deploy my Docker container to Cloud Run.
I am able to successfully deploy manually using the gcloud CLI, which works without any issues.

And here is the detailed cloudbuild.yaml file that I used.

steps:
  - name: 'gcr.io/cloud-builders/docker'
    id: Build Docker image
    args:
      - 'build'
      - '-t'
      - 'example-region-docker.pkg.dev/example-project/cloud-run-source-deploy/example-service'
      - '.'  

  - name: 'gcr.io/cloud-builders/docker'
    id: Push Docker image
    args:
      - 'push'
      - 'example-region-docker.pkg.dev/example-project/cloud-run-source-deploy/example-service'

  - name: 'gcr.io/cloud-builders/gcloud'
    id: Deploy to Cloud Run
    args:
      - 'run'
      - 'deploy'
      - 'example-service'  
      - '--image=example-region-docker.pkg.dev/example-project/cloud-run-source-deploy/example-service'  
      - '--platform=managed'
      - '--region=example-region'  
      - '--allow-unauthenticated'  

timeout: '1200s'  

IAM Permissions:

The service account I'm using has the following roles:

Cloud Build Editor
Cloud Run Admin
Cloud Run Invoker
Artifact Registry Administrator
Storage Admin
Cloud Build WorkerPool Owner
Other roles related to Cloud Run, Artifact Registry, and Cloud Functions.

Trigger Configuration:

I have set up a GitHub trigger with the following parameters:

branch-pattern: ^main$
build-config: cloudbuild.yaml

The trigger works when pushing to the main branch, but as stated, it attempts to use the wrong project ID (mix of numbers and alphanumeric characters) instead of the correct one (example-project).

Issue:

I am not sure why the error mentions a different project ID instead of the correct project. Even though my gcloud config is set to the correct project, it seems Cloud Build is referencing the wrong project during the trigger execution.

Questions:

How can I resolve the PERMISSION_DENIED issue, where Cloud Build seems to be using the wrong project ID?
What additional IAM roles or permissions do I need to verify for the service account involved in the trigger execution?
How can I ensure that the Cloud Build trigger correctly references the right project ID in the Cloud Build console?

Any help in identifying the root cause of this issue would be greatly appreciated!

• I confirmed the service account has all required roles, including Cloud Build Editor, Cloud Run Admin, and Cloud Run Invoker.
• I checked my IAM roles and confirmed they align with the necessary permissions for Cloud Build and Cloud Run.
• I tried re-creating the Cloud Build trigger and ensured the webhook from GitHub is correctly set up.
• I've also ensured that gcloud config list shows the correct project.

I encountered a similar issue to this one on StackOverflow google cloud run Failed to trigger build: Permission 'cloudbuild.builds.create' denied but I haven't found a solution that works for me.

• google-cloud-platform
• google-cloud-run
• cicd
• google-cloud-build
• google-artifact-registry

2 Answers 2

Don't yet have enough reps to leave this as a comment.

Can you attach your cloudbuild.yaml and a screenshot (with enough detail) of your error to your question. I'd need some more insight into the components of your current setup to properly assist.

That said, basically the issues looks to be coming from the wrong project ID. I'd probably start by tracking that down.

[EDIT]

Hi Lin, I have tried replicating your setup from the information you have given in a minimalistic way.

I used your verbatim cloudbuild.yaml file with an demo project, and a SA with the permissions you listed.

Manually triggering the build it started fine without any errors. ; [this is unrelated but FYI]-- I needed to add some log related edits to my own replication, to get the logs out.

A few things to try:

1. Try creating and running the build with a different SA

2. Try setting the CI up in a different GCP project

3. For variables like your GCP Projectid in your cb.yaml file, use [default substitutions](https://cloud.google/build/docs/configuring-builds/substitute-variable-values) instead of hardcoding them

You want to make sure that the Google Cloud build service account that is used by the service itself has the "Cloud Build Service Account" IAM role. No idea why Google made this required role something that the service account can be removed from. But I just ran across this issue when doing work using the terraform google_project_iam_binding resource.

Quick way to manually add this:

• Get the project number. For instance via gcloud projects list

• Go into the GCP console

• Go into IAM

• Ensure you are on the project with the issue

• Select: Grant Access

• Principal: PROJECT#@cloudbuild.gserviceaccount

• Role: Cloud Build Service Account

Note, the role that is actually given is "roles/cloudbuild.builds.builder". And the service account isn't something that shows in the Google Cloud console by default.