In this article, I will describe how to take advantage of the Custom roles to allow your team to use the Cloud Build in your project.
This is a better solution than using the Predefined roles as it gives you more control over the permissions you give to your team members.
Create a Custom role that contains all the required permissions. Later, you can assign it to the group with the relevant team members.
Here are the minimum permissions that your Custom role will need to have:
storage.buckets.get- Grants permission to read bucket metadata
storage.buckets.list- Grants permission to list buckets in the project
storage.objects.get- Grants permission to view objects
storage.objects.create- Grants permission to create objects
serviceusage.services.use- Required to use the project for quota and billing purposes
Note that the
storage.objects.get permission is needed for accessing the build logs, if you are storing the logs in a non-default bucket (see the "The Access Denied Error" section in my previous article).
Sample command for submitting a build:
gcloud builds submit \ --config cloudbuild.yaml \ --gcs-log-dir=gs://<BUCKET_NAME>/<SUBDIRECTORY>