DEV Community

Cover image for Granting Access to Cloud Build - Custom Roles
Deniss Tsokarev
Deniss Tsokarev

Posted on

Granting Access to Cloud Build - Custom Roles


In this article, I will describe how to take advantage of the Custom roles to allow your team to use the Cloud Build in your project.

This is a better solution than using the Predefined roles as it gives you more control over the permissions you give to your team members.


Create a Custom Role

Create a Custom role that contains all the required permissions. Later, you can assign it to the group with the relevant team members.

Here are the minimum permissions that your Custom role will need to have:

  • cloudbuild.builds.create
  • cloudbuild.builds.get
  • cloudbuild.builds.list
  • cloudbuild.builds.update
  • storage.buckets.get - Grants permission to read bucket metadata
  • storage.buckets.list - Grants permission to list buckets in the project
  • storage.objects.get - Grants permission to view objects
  • storage.objects.create - Grants permission to create objects
  • serviceusage.services.use - Required to use the project for quota and billing purposes

Note that the storage.objects.get permission is needed for accessing the build logs, if you are storing the logs in a non-default bucket (see the "The Access Denied Error" section in my previous article).


Sample command for submitting a build:

gcloud builds submit \
  --config cloudbuild.yaml \
  --gcs-log-dir=gs://<BUCKET_NAME>/<SUBDIRECTORY>
Enter fullscreen mode Exit fullscreen mode

Discussion (0)