{"html_url": "https://github.com/simonw/datasette/issues/1415#issuecomment-1793787454", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1415", "id": 1793787454, "node_id": "IC_kwDOBm6k_c5q6wY-", "user": {"value": 45269373, "label": "jimmybutton"}, "created_at": "2023-11-05T16:44:49Z", "updated_at": "2023-11-05T16:46:59Z", "author_association": "NONE", "body": "thanks for documenting this @bendnorman! got stuck at exactly the same point `gcloud builds submit ... returned non-zero exit status 1`, without a clue why this was happening. i now managed to get the github action to deploy datasette by assigning the following roles to the service account: `roles/run.admin`, `roles/storage.admin`, `roles/cloudbuild.builds.builder`, `roles/viewer`, `roles/iam.serviceAccountUser`.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 959137143, "label": "feature request: document minimum permissions for service account for cloudrun"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1415#issuecomment-1255603780", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1415", "id": 1255603780, "node_id": "IC_kwDOBm6k_c5K1v5E", "user": {"value": 17532695, "label": "bendnorman"}, "created_at": "2022-09-22T22:06:10Z", "updated_at": "2022-09-22T22:06:10Z", "author_association": "NONE", "body": "This would be great! I just went through the process of figuring out the minimum permissions for a service account to run `datasette publish cloudrun` for [PUDL](https://github.com/catalyst-cooperative/pudl)'s [datasette deployment](https://data.catalyst.coop/). These are the roles I gave the service account (disclaim: I'm not sure these are the minimum permissions):\r\n\r\n- Cloud Build Service Account: The SA needs this role to publish the build on Cloud Build. \r\n- Cloud Run Admin for the Cloud Run datasette service so the SA can deploy the build.\r\n- I gave the SA the Storage Admin role on the bucket Cloud Build creates to store the build tar files. \r\n- The Viewer Role is [required for storing build logs in the default bucket](https://cloud.google.com/build/docs/running-builds/submit-build-via-cli-api#permissions). More on this below!\r\n\r\nThe Viewer Role is a Basic IAM role that [Google does not recommend using](https://cloud.google.com/build/docs/running-builds/submit-build-via-cli-api#permissions):\r\n\r\n> Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited [predefined roles](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles) or [custom roles](https://cloud.google.com/iam/docs/understanding-custom-roles) that meet your needs.\r\n\r\nIf you don't grant the Viewer role the `gcloud builds submit` command will successfully create a build but returns exit code 1, preventing the script from getting to the cloud run step:\r\n\r\n```\r\nERROR: (gcloud.builds.submit)\r\nThe build is running, and logs are being written to the default logs bucket.\r\nThis tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.\r\n\r\nThe default logs bucket is always outside any VPC-SC security perimeter.\r\nIf you want your logs saved inside your VPC-SC perimeter, use your own bucket.\r\nSee https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.\r\n```\r\nlong stack trace...\r\n```\r\nCalledProcessError: Command 'gcloud builds submit --tag gcr.io/catalyst-cooperative-pudl/datasette' returned non-zero exit status 1.\r\n```\r\n\r\nYou can store Cloud Build logs in a [user-created bucket](https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs#store-custom-bucket) which only requires the Storage Admin role. However, you have to pass a config file to `gcloud builds submit`, which isn't possible with the current options for `datasette publish cloudrun`. \r\n\r\nI propose we add an additional CLI option to `datasette publish cloudrun` called `--build-config` that allows users to pass a [config file](https://cloud.google.com/build/docs/running-builds/submit-build-via-cli-api#running_builds) specifying a user create Cloud Build log bucket. ", "reactions": "{\"total_count\": 1, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 1, \"eyes\": 0}", "issue": {"value": 959137143, "label": "feature request: document minimum permissions for service account for cloudrun"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1415#issuecomment-902251316", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1415", "id": 902251316, "node_id": "IC_kwDOBm6k_c41x0M0", "user": {"value": 9599, "label": "simonw"}, "created_at": "2021-08-19T21:14:15Z", "updated_at": "2021-08-19T21:14:15Z", "author_association": "OWNER", "body": "https://github.com/ahmetb/cloud-run-faq#how-do-i-continuously-deploy-to-cloud-run suggests the following:\r\n\r\n> - `roles/run.admin` to deploy applications\r\n> - `roles/iam.serviceAccountUser` on the service account that your app will use\r\n\r\nIt also links to https://cloud.google.com/run/docs/reference/iam/roles", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 959137143, "label": "feature request: document minimum permissions for service account for cloudrun"}, "performed_via_github_app": null}
{"html_url": "https://github.com/simonw/datasette/issues/1415#issuecomment-902250361", "issue_url": "https://api.github.com/repos/simonw/datasette/issues/1415", "id": 902250361, "node_id": "IC_kwDOBm6k_c41xz95", "user": {"value": 9599, "label": "simonw"}, "created_at": "2021-08-19T21:12:28Z", "updated_at": "2021-08-19T21:12:28Z", "author_association": "OWNER", "body": "I would love to know this too! I always find figuring out minimal permissions to be really difficult.", "reactions": "{\"total_count\": 0, \"+1\": 0, \"-1\": 0, \"laugh\": 0, \"hooray\": 0, \"confused\": 0, \"heart\": 0, \"rocket\": 0, \"eyes\": 0}", "issue": {"value": 959137143, "label": "feature request: document minimum permissions for service account for cloudrun"}, "performed_via_github_app": null}