cloud build example workflow throwing VPC-SC security issue for logging bucket

[c2karansingh]

TL;DR

Trying to run the example workflow and getting the following error:

ERROR: (gcloud.builds.submit) 
The build is running, and logs are being written to the default logs bucket.
Unfortunately, the default logs bucket is always outside any VPC-SC security
perimeter, so this tool cannot stream the logs for you.

If you want your logs saved inside your VPC-SC perimeter, use your own bucket.
See https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.

Expected behavior

I expected it to submit to the container registry but it stops at this error, please let me know if its a config error from my end.
Observed behavior

Reproduction

Action YAML

    - name: Set up Cloud SDK
      uses: google-github-actions/setup-gcloud@master
      with:
        project_id: $PROJECT_ID
        service_account_key: ${{ secrets.GCP_SA_KEY }}
        export_default_credentials: true

    # Build and push image to Google Container Registry
    - name: Build
      run: |-
        gcloud builds submit \
          --quiet \
          --tag "gcr.io/$PROJECT_ID/$SERVICE_NAME:$GITHUB_SHA"```

[bharathkkb]

Hi @c2karansingh
It looks like you may have to pass in a custom gcs bucket which is under the service perimeter via the --gcs-log-dir flag. You can also debug this locally with gcloud as this should not be actions specific.

[zeshuaro]

I ran into the same issue but then I realised that I didn't give the service account Viewer permission. I was able to fix the issue by giving the correct permissions, hope this helps.

[Toshinaki]

@zeshuaro
I ran into this too.
What exactly permission did you add?

Searching for "viewer" gives a lot of permissions.
Is that the one with description "Viewer of Bare Metal Solution resources"?

This permission seems redundant for viewing logs only.
Is Logs Viewer or Private Logs Viewer a better choice?

[zeshuaro]

@Toshinaki Yeah I agree that the Viewer permission is giving way too many permissions than necessary. Unfortunately that's the only way I could get this action working.

I even tried following the GCP Recommender and created a custom role with the minimum set of permissions that were analysed and used by this action. But it still didn't work. So I assume there's a magic permission in Viewer that's required by this action and is somehow not captured by the Recommender.

[buahaha]

I have the following hang up... First it throw an error with descriptive message about logs and some transfer of them back to GitHub Action but I can't redo that, and the log is gone

Run gcloud builds submit \
  gcloud builds submit \
    --quiet \
    --tag "some.pkg.dev/$PROJECT_ID/test/$GITHUB_REPOSITORY:$GITHUB_SHA"
  shell: /usr/bin/bash -e ***0***
  env:
    PROJECT_ID: ***
    SERVICE_NAME: helloworld-phoenix-journey
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/hi_nutek/hi_nutek/50cdc510484c4cfeeaa37a3d
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/hi_nutek/hi_nutek/50cdc510484c4cfeeaa37a3d
    GOOGLE_GHA_CREDS_PATH: /home/runner/work/hi_nutek/hi_nutek/50cdc510484c4cfeeaa37a3d
    CLOUDSDK_PROJECT: ***
    CLOUDSDK_CORE_PROJECT: ***
    GCP_PROJECT: ***
    GCLOUD_PROJECT: ***
    GOOGLE_CLOUD_PROJECT: ***
    CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
Creating temporary tarball archive of 6 file(s) totalling 5.2 KiB before compression.
Some files were not included in the source upload.

Check the gcloud log [/home/runner/.config/gcloud/logs/2022.01.19/15.15.02.804735.log] to see which files and the contents of the
default gcloudignore file used (see `$ gcloud topic gcloudignore` to learn
more).

Uploading tarball of [.] to [gs://***_cloudbuild/source/1642605302.910522-a51fdfe8ffc34f159c5b4ca8746084ad.tgz]
Created [https://cloudbuild.googleapis.com/v1/projects/***/locations/global/builds/4cdb1839-7965-4c60-bba2-6bad2a008bab].
Logs are available at [https://console.cloud.google.com/cloud-build/builds/4cdb1839-7965-4c60-bba2-6bad2a008bab?project=600939738345].

It does not go further than here. Please do something, or tell me how to get back from GCP to GitHub so the action completes successful

After about an hour, I have got an error like this:

The build is running, and logs are being written to the default logs bucket.
This tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.

The default logs bucket is always outside any VPC-SC security perimeter.
If you want your logs saved inside your VPC-SC perimeter, use your own bucket.
See https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.

I'm running this action in organisation and supposedly do not want to make this service account viewer of the project. Is there a workaround?

The build is running, and logs are being written to the default logs bucket.
This tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.

Solution

Then I checked another issue and there is a solution to this one:

comment & comment-2

# command-line
gsutil mb gs://[BUCKET-NAME]/
gsutil iam ch user:[user@email.com]:objectView gs://[BUCKET-NAME]

# or in Console
- create storage bucket on Cloud Storage
- add Storage Object Viewer permission to the user/service account

# then

# cloudbuild.yaml
steps:
- name: gcr.io/cloud-builders/gcloud
  args: 
logsBucket: 'gs://[BUCKET-NAME]'

# or if using Dockerfiles
--gcs-log-dir=gs://[BUCKET-NAME]/[FOLDER-NAME]

[c2karansingh]

@buahaha that makes sense but this shouldn't be required for deployment right?

[siddhant-deepsource]

The steps mentioned at https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs helped me to assign the right permissions to the service account and get it working. Thanks!

[farhansalam]

if you don't want to use a custom bucket, this will also eliminate above error

steps:
  - name: 'gcr.io/cloud-builders/docker'
    args:
      [
        'push',
        'us-central1-docker.pkg.dev/$_PROJECT_ID/$_ARTIFACT_REPO/$_ENV_IMG_NAME:$_ENV',
      ]
options:
  logging: CLOUD_LOGGING_ONLY

[omar115]

I am getting the same error messages. Actually I triggered the build from manager project and build will be executed in another project called dev. In dev project the build is already successful but in manager project it gave some INFO level logs and build failed.

Here are the logs from Log explorer:

Step #0 - "Kicking off Build/Release": ERROR: (gcloud.builds.submit) 
Step #0 - "Kicking off Build/Release": The build is running, and logs are being written to the default logs bucket.
Step #0 - "Kicking off Build/Release": This tool can only stream logs if you are Viewer/Owner of the project and, if applicable, allowed by your VPC-SC security policy.
Step #0 - "Kicking off Build/Release": 
Step #0 - "Kicking off Build/Release": The default logs bucket is always outside any VPC-SC security perimeter.
Step #0 - "Kicking off Build/Release": If you want your logs saved inside your VPC-SC perimeter, use your own bucket.
Step #0 - "Kicking off Build/Release": See https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs.
Step #0 - "Kicking off Build/Release": 
Step #0 - "Kicking off Build/Release": 
Step #0 - "Kicking off Build/Release": Some builds failed:
Step #0 - "Kicking off Build/Release": flow/ failed
Step #0 - "Kicking off Build/Release": Exiting.

I have provided Viewer, Logs Writer role to my service account.
how to solve this ?

[davcrash]

@farhansalam I don't want to use a custom bucket but I'm using Dockerfiles, how can i solve this in my situation?

[sethvargo]

Hi folks - for general Google Cloud questions, please open a support ticket here.