ci: sample build in Cloud Build

[suztomo]

b/322966824 and go/cloud-java-sample-build-2024.

[suztomo]

Cannot update access control for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access

[BenWhitehead]

My guess as to why that error is happening: The project configuration is probably preventing buckets from being created using ACLs instead forcing Uniform Bucket Level Access.

[suztomo]

Thank you. Yes, it seems I need to turn uniform-bucket-level-access off.

Memo and b/329290837

[suztomo]

I just submitted cl/615416026.

[suztomo]

Current failure:

[ERROR] com.example.storage.bucket.DeleteBucketPubSubNotificationTest  Time elapsed: 6.469 s  <<< ERROR!
com.google.api.gax.rpc.FailedPreconditionException: io.grpc.StatusRuntimeException: FAILED_PRECONDITION: One or more users named in the policy do not belong to a permitted customer.
	at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:102)
	at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:98)
...
	at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:750)
	Suppressed: com.google.api.gax.rpc.AsyncTaskException: Asynchronous task failed
		at com.google.api.gax.rpc.ApiExceptions.callAndTranslateApiException(ApiExceptions.java:57)
		at com.google.api.gax.rpc.UnaryCallable.call(UnaryCallable.java:112)
		at com.google.cloud.pubsub.v1.TopicAdminClient.setIamPolicy(TopicAdminClient.java:1695)
		at com.example.storage.bucket.DeleteBucketPubSubNotificationTest.configureTopicAdminClient(DeleteBucketPubSubNotificationTest.java:72)

Following the same change googleapis/java-pubsub#1943 as the value itself is not important for the meaning of the sample to customers.

[suztomo]

[ERROR] com.example.storage.object.PrintFileAclForUserTest.testPrintBucketAclByUser  Time elapsed: 2.073 s  <<< ERROR!
com.google.cloud.storage.StorageException: The owner of the resource is required to have OWNER access.
	at com.google.cloud.storage.StorageException.translate(StorageException.java:170)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:329)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.createAcl(HttpStorageRpc.java:1435)
	at com.google.cloud.storage.StorageImpl.lambda$createAcl$36(StorageImpl.java:1342)
	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
	at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
	at com.google.cloud.storage.Retrying.run(Retrying.java:65)
	at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1533)
	at com.google.cloud.storage.StorageImpl.createAcl(StorageImpl.java:1342)
	at com.google.cloud.storage.Blob.createAcl(Blob.java:1147)
	at com.example.storage.object.PrintFileAclForUserTest.testPrintBucketAclByUser(PrintFileAclForUserTest.java:39)

Cloud Pub/Sub topic '//pubsub.googleapis.com/projects/cloud-java-ci-sample/topics/new-topic-delete-ee4cde7d' not found, or user 'service-615621127317@gs-project-accounts.iam.gserviceaccount.com' does not have permission to it.

"The service account 'service-615621127317@gs-project-accounts.iam.gserviceaccount.com' does not have permission to publish messages to to the Cloud Pub/Sub topic '//pubsub.googleapis.com/projects/cloud-java-ci-sample/topics/new-topic-delete-2cd6284f', or that topic does not exist.",

Maybe "domain:google.com" is not sufficient?

[suztomo]

The pubsub problem is resolved; [INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 13.887 s - in com.example.storage.bucket.DeleteBucketPubSubNotificationTest

[suztomo]

Current error (link):

[ERROR] com.example.storage.object.PrintFileAclForUserTest.testPrintBucketAclByUser  Time elapsed: 2.073 s  <<< ERROR!
com.google.cloud.storage.StorageException: The owner of the resource is required to have OWNER access.
	at com.google.cloud.storage.StorageException.translate(StorageException.java:170)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:329)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.createAcl(HttpStorageRpc.java:1435)
	at com.google.cloud.storage.StorageImpl.lambda$createAcl$36(StorageImpl.java:1342)
	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
	at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
	at com.google.cloud.storage.Retrying.run(Retrying.java:65)
	at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1533)
	at com.google.cloud.storage.StorageImpl.createAcl(StorageImpl.java:1342)
	at com.google.cloud.storage.Blob.createAcl(Blob.java:1147)
	at com.example.storage.object.PrintFileAclForUserTest.testPrintBucketAclByUser(PrintFileAclForUserTest.java:39)

The test:

  public static final String IT_SERVICE_ACCOUNT_EMAIL = System.getenv("IT_SERVICE_ACCOUNT_EMAIL");

  @Test
  public void testPrintBucketAclByUser() {
    // Check for user email before the actual test.
    assertNotNull("Unable to determine user email", IT_SERVICE_ACCOUNT_EMAIL);

    Entity testUser = new User(IT_SERVICE_ACCOUNT_EMAIL);
    blob.createAcl(Acl.of(testUser, Role.READER));

IT_SERVICE_ACCOUNT_EMAIL is set in the .cloudbuild/samples_build.yaml file in this pull request.

[suztomo]

Creating the system account for PrintFileAclForUserTest resolved the problem. Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 4.128 s - in com.example.storage.object.PrintFileAclForUserTest

Current error: "message" : "build-runner@cloud-java-ci-sample.iam.gserviceaccount.com does not have serviceusage.services.use access to the Google Cloud project. Permission 'serviceusage.services.use' denied on resource (or it may not exist).",

=> cl/615532890

[suztomo]

Error:

Step #3: [ERROR] com.example.storage.ITHmacSnippets.testActivateHmacKey  Time elapsed: 36.388 s  <<< ERROR!
Step #3: com.google.cloud.storage.StorageException: Service Account 'cloud-java-ci-sample@cloud-java-ci-sample.iam.gserviceaccount.com' not found.
Step #3: 	at com.google.cloud.storage.StorageException.translate(StorageException.java:170)
Step #3: 	at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:329)
Step #3: 	at com.google.cloud.storage.spi.v1.HttpStorageRpc.listHmacKeys(HttpStorageRpc.java:1530)
Step #3: 	at com.google.cloud.storage.StorageImpl.lambda$listHmacKeys$44(StorageImpl.java:1452)
Step #3: 	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
Step #3: 	at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
Step #3: 	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
Step #3: 	at com.google.cloud.storage.Retrying.run(Retrying.java:65)
Step #3: 	at com.google.cloud.storage.StorageImpl.listHmacKeys(StorageImpl.java:1449)
Step #3: 	at com.google.cloud.storage.StorageImpl.listHmacKeys(StorageImpl.java:1388)
Step #3: 	at com.example.storage.ITHmacSnippets.cleanUpHmacKeys(ITHmacSnippets.java:56)
Step #3: 	at com.example.storage.ITHmacSnippets.before(ITHmacSnippets.java:49)
Step #3: 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Another service account is needed:

  private static final String HMAC_KEY_TEST_SERVICE_ACCOUNT =
      PROJECT_ID + "@" + PROJECT_ID + ".iam.gserviceaccount.com";

  @Before
  public void before() {
    cleanUpHmacKeys(ServiceAccount.of(HMAC_KEY_TEST_SERVICE_ACCOUNT));
  }

[suztomo]

The service account with project ID in its name created.

[suztomo]

Step #3: [ERROR] com.example.storage.ITHmacSnippets.testActivateHmacKey  Time elapsed: 45.276 s  <<< ERROR!
Step #3: com.google.cloud.storage.StorageException: build-runner@cloud-java-ci-sample.iam.gserviceaccount.com does not have storage.hmacKeys.list access to the Google Cloud project.
Step #3: 	at com.google.cloud.storage.StorageException.translate(StorageException.java:170)
Step #3: 	at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:329)
Step #3: 	at com.google.cloud.storage.spi.v1.HttpStorageRpc.listHmacKeys(HttpStorageRpc.java:1530)
Step #3: 	at com.google.cloud.storage.StorageImpl.lambda$listHmacKeys$44(StorageImpl.java:1452)
Step #3: 	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
Step #3: 	at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
Step #3: 	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
Step #3: 	at com.google.cloud.storage.Retrying.run(Retrying.java:65)
Step #3: 	at com.google.cloud.storage.StorageImpl.listHmacKeys(StorageImpl.java:1449)
Step #3: 	at com.google.cloud.storage.StorageImpl.listHmacKeys(StorageImpl.java:1388)
Step #3: 	at com.example.storage.ITHmacSnippets.cleanUpHmacKeys(ITHmacSnippets.java:56)
Step #3: 	at com.example.storage.ITHmacSnippets.before(ITHmacSnippets.java:49)
Step #3: 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[suztomo]

Step #3: [ERROR] com.example.storage.ITObjectSnippets.testUploadKMSEncryptedObject  Time elapsed: 14.788 s  <<< ERROR!
Step #3: com.google.cloud.storage.StorageException: 
Step #3: 403 Forbidden
Step #3: POST https://storage.googleapis.com/upload/storage/v1/b/gcloud-test-bucket-temp-0b115757-30bc-4009-bec0-164886032183/o?ifGenerationMatch=0&kmsKeyName=projects/java-docs-samples-testing/locations/us/keyRings/jds_test_kms_key_ring/cryptoKeys/gcs_kms_key_one&projection=full&uploadType=multipart
Step #3: {
Step #3:   "error": {
Step #3:     "code": 403,
Step #3:     "message": "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.",
Step #3:     "errors": [
Step #3:       {
Step #3:         "message": "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.",
Step #3:         "domain": "global",
Step #3:         "reason": "forbidden"
Step #3:       }
Step #3:     ]
Step #3:   }
Step #3: }
Step #3: 
Step #3: 	at com.google.cloud.storage.StorageException.translate(StorageException.java:170)
Step #3: 	at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:329)
Step #3: 	at com.google.cloud.storage.spi.v1.HttpStorageRpc.create(HttpStorageRpc.java:409)
Step #3: 	at com.google.cloud.storage.StorageImpl.lambda$internalCreate$2(StorageImpl.java:218)
Step #3: 	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
Step #3: 	at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
Step #3: 	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
Step #3: 	at com.google.cloud.storage.Retrying.run(Retrying.java:65)
Step #3: 	at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1533)
Step #3: 	at com.google.cloud.storage.StorageImpl.internalCreate(StorageImpl.java:215)
Step #3: 	at com.google.cloud.storage.StorageImpl.create(StorageImpl.java:161)
Step #3: 	at com.example.storage.object.UploadKmsEncryptedObject.uploadKmsEncryptedObject(UploadKmsEncryptedObject.java:66)
Step #3: 	at com.example.storage.ITObjectSnippets.testUploadKMSEncryptedObject(ITObjectSnippets.java:422)

The key name is hardcoded:

java-storage/samples/snippets/src/test/java/com/example/storage/ITObjectSnippets.java

Line 100 in 45837d3

"projects/java-docs-samples-testing/locations/us/keyRings/"

[suztomo]

b/329758593

[suztomo]

This breaks existing Kokoro build.

[suztomo]

The status restored. "Kokoro - Test: Samples — Build successful"

[generated-files-bot]

Warning: This pull request is touching the following templated files:

• .kokoro/nightly/samples.cfg
• .kokoro/presubmit/samples.cfg

[suztomo]

[ERROR] GitHub returned that this pull request (PR) is not mergeable.

Merging from the main.

[suztomo]

Still failing at KMS test https://pantheon.corp.google.com/cloud-build/builds/43db3499-58f9-4055-be7c-bb78f9eef7ed;step=3?e=13802955&mods=logs_tg_staging&project=cloud-java-ci-sample

[ERROR] com.example.storage.ITObjectSnippets.testUploadKMSEncryptedObject  Time elapsed: 14.799 s  <<< ERROR!
com.google.cloud.storage.StorageException: 
403 Forbidden
POST https://storage.googleapis.com/upload/storage/v1/b/gcloud-test-bucket-temp-2345e950-ccd0-4cab-8e60-a07874384bd5/o?ifGenerationMatch=0&kmsKeyName=projects/cloud-java-ci-sample/locations/us/keyRings/gcs_test_kms_key_ring/cryptoKeys/gcs_kms_key_one&projection=full&uploadType=multipart
{
  "error": {
    "code": 403,
    "message": "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.",
    "errors": [

[suztomo]

https://pantheon.corp.google.com/cloud-build/builds/9465da8a-b576-4523-9d01-a4a0053de05c?project=cloud-java-ci-sample&e=13802955&mods=logs_tg_staging

Step #3: [ERROR] com.example.storage.ITObjectSnippets.testUploadKMSEncryptedObject  Time elapsed: 14.531 s  <<< ERROR!
Step #3: com.google.cloud.storage.StorageException: 
Step #3: 403 Forbidden
Step #3: POST https://storage.googleapis.com/upload/storage/v1/b/gcloud-test-bucket-temp-efe96838-9109-4d21-a164-dd983ffbda1c/o?ifGenerationMatch=0&kmsKeyName=projects/cloud-java-ci-sample/locations/us/keyRings/gcs_test_kms_key_ring/cryptoKeys/gcs_kms_key_one&projection=full&uploadType=multipart
Step #3: {
Step #3:   "error": {
Step #3:     "code": 403,
Step #3:     "message": "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.",
Step #3:     "errors": [
Step #3:       {
Step #3:         "message": "Permission denied on Cloud KMS key. Please ensure that your Cloud Storage service account has been authorized to use this key.",
Step #3:         "domain": "global",
Step #3:         "reason": "forbidden"
Step #3:       }

[suztomo]

Even after granting KMS admin role to service-615621127317@gs-project-accounts.iam.gserviceaccount.com (Google Storage Service Agent), it failed with the same error.

[sydney-munro]

[ERROR] com.example.storage.ITBucketSnippets.testMakeBucketPublic  Time elapsed: 3.633 s  <<< ERROR!
com.google.cloud.storage.StorageException: One or more users named in the policy do not belong to a permitted customer.
	at com.google.cloud.storage.StorageException.translate(StorageException.java:170)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:329)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.setIamPolicy(HttpStorageRpc.java:1678)
	at com.google.cloud.storage.StorageImpl.lambda$setIamPolicy$50(StorageImpl.java:1505)
	at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
	at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
	at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
	at com.google.cloud.storage.Retrying.run(Retrying.java:65)
	at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1551)
	at com.google.cloud.storage.StorageImpl.setIamPolicy(StorageImpl.java:1503)
	at com.example.storage.bucket.MakeBucketPublic.makeBucketPublic(MakeBucketPublic.java:36)
	at com.example.storage.ITBucketSnippets.testMakeBucketPublic(ITBucketSnippets.java:450)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:299)
	at org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:293)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.lang.Thread.run(Thread.java:750)
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 412 Precondition Failed
PUT https://storage.googleapis.com/storage/v1/b/gcloud-test-bucket-temp-04dd0c01-9d56-4e00-94cd-c0d8c7be3e17/iam
{
  "code" : 412,
  "errors" : [ {
    "domain" : "global",
    "location" : "If-Match",
    "locationType" : "header",
    "message" : "One or more users named in the policy do not belong to a permitted customer.",
    "reason" : "conditionNotMet"
  } ],
  "message" : "One or more users named in the policy do not belong to a permitted customer."
}
	at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:118)
	at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:37)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$3.interceptResponse(AbstractGoogleClientRequest.java:466)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1111)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
	at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
	at com.google.cloud.storage.spi.v1.HttpStorageRpc.setIamPolicy(HttpStorageRpc.java:1675)
	... 22 more

New error

[suztomo]

@sydney-munro I think it's from https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains. In previous cases, we stopped using "allAuthenticatedUsers" or "allUsers"

Would you examine whether the sample needs the principal (from customers' view point)?