Cloud Build uses a default service account to execute builds on your behalf. For example, when the Cloud Build legacy service account is created, it is automatically granted the Cloud Build Service Account role for the project. This role gives the service account permissions to perform several tasks, however you can grant more permissions to the service account to perform additional tasks. This page explains how to grant and revoke permissions to the default Cloud Build service account.
Before you begin
- Understand Cloud Build roles and permissions.
- Read Cloud Build default service account.
Granting a role to the Cloud Build default service account using the Settings page
You can grant certain commonly used IAM roles to the Cloud Build default service account using the Cloud Build Settings page in the Google Cloud console:
Open the Cloud Build Settings page:
Open the Cloud Build Settings page
You'll see the Service account permissions page:
Use the drop-down menu to select the service account you want to update.
Set the status of the role you want to add to Enable.
Granting a role to the Cloud Build default service account using the IAM page
If the role you want to grant is not listed in the Cloud Build Settings page in the Google Cloud console, use the IAM page to grant the role:
Open the IAM page:
Select your Google Cloud project.
Above the permissions table, select the Include Google-provided role grants checkbox.
You'll see that more rows appear in the permissions table.
In the permissions table, find your Cloud Build default service account.
Click the pencil icon.
Select the role you want to grant to the Cloud Build service account.
Click Save.
Revoking a role from the Cloud Build service account
Open the IAM page:
Select your Google Cloud project.
Above the permissions table, select the Include Google-provided role grants checkbox.
You'll see that more rows appear in the permissions table.
In the permissions table, find your Cloud Build default service account.
Click the pencil icon.
Locate the role you want to revoke and click the delete trash can next to the role.
Granting a role to the Cloud Build service agent
In addition to the Cloud Build default service account,
Cloud Build has a Cloud Build service agent that allows
other Google Cloud services to access your resources. After you enable the
Cloud Build API, the service agent is automatically created in the
Google Cloud project. The service agent has the following format, where
PROJECT_NUMBER is your project number.
service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com
You can view the service agent for a project by going to the IAM page in the Google Cloud console page and selecting the Show google managed service accounts checkbox.
If you've accidentally revoked the Cloud Build service agent's role on your project, you can grant it manually using the following steps:
Console
Open the IAM page in the Google Cloud console:
Click Grant access.
Add the following principal, where
PROJECT_NUMBERis your project number:service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.comSelect Service Agents > Cloud Build Service Agent as your role.
Click Save.
gcloud
Grant roles/cloudbuild.serviceAgent IAM role to the
Cloud Build service agent:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:service-PROJECT_NUMBER@gcp-sa-cloudbuild.iam.gserviceaccount.com" \
--role="roles/cloudbuild.serviceAgent"
Replace the placeholder values in the command with the following:
PROJECT_ID: The project IDPROJECT_NUMBER: The project number
What's next
- Learn about user-specified service accounts.
- Learn about service accounts in depth.
- Learn about configuring access to Cloud Build resources.
- Learn about the permissions required to view build logs.