DEV Community

loading...
Cover image for Granting Access to Cloud Build - Custom Roles

Granting Access to Cloud Build - Custom Roles

Deniss Tsokarev
Cloud Engineer & tech enthusiast who has a keen interest in software development.
・1 min read

In this article, I will describe how to take advantage of the Custom roles to allow your team to use the Cloud Build in your project.

This is a better solution than using the Predefined roles as it gives you more control over the permissions you give to your team members.


Create a Custom Role

Create a Custom role that contains all the required permissions. Later, you can assign it to the group with the relevant team members.

Here are the minimum permissions that your Custom role will need to have:

  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • storage.buckets.get - Grants permission to read bucket metadata
  • storage.buckets.list - Grants permission to list buckets in the project
  • storage.objects.get - Grants permission to view objects
  • storage.objects.create - Grants permission to create objects
  • serviceusage.services.use - Required to use the project for quota and billing purposes

Note that the storage.objects.get permission is needed for accessing the build logs, if you are storing the logs in a non-default bucket (see the "The Access Denied Error" section in my previous article).


Sample command for submitting a build:

gcloud builds submit \
  --config cloudbuild.yaml \
  --gcs-log-dir=gs://<BUCKET_NAME>/<SUBDIRECTORY>
Enter fullscreen mode Exit fullscreen mode

Discussion (0)