Status Update
No update yet.
Comments
cz...@google.com
gr...@google.com
[Deleted User] <[Deleted User]>
ar...@gmail.com
[Deleted User] <[Deleted User]>
do...@avrotros.nl
an...@gmail.com
ya...@gmail.com
[Deleted User] <[Deleted User]>
[Deleted User] <[Deleted User]>
el...@atlasmarket.io
ru...@gmail.com
st...@fromatob.com
[Deleted User] <[Deleted User]>
[Deleted User] <[Deleted User]>
Starring the issue actually increases its visibility and priority permanently (as opposed to just pinging everyone who is following it with an empty comment)
do...@avrotros.nl
The problem isn't in the permissions, the problem is in the managed bucket for the cloud build logs. Only project Owner, Editor and Viewer can see the content, but it can't be changed in policy. So this is something that needs to be fixed by Google.
[Deleted User] <[Deleted User]>
br...@analytehealth.com
[Deleted User] <[Deleted User]>
ke...@telus.com
[Deleted User] <[Deleted User]>
[Deleted User] <[Deleted User]>
[Deleted User] <[Deleted User]>
mp...@etsy.com
ma...@gmail.com
[Deleted User] <[Deleted User]>
bl...@agencyanalytics.com
pr...@hawkfish.us
You know you can configure the log bucket it uses and work around this right? The main gap I have is that the terraform provider doesn't allow you to configure this param on the triggers, but according to the API it is possible. Cloud Build doesn't seem like it's getting enough attention so I switched to a better service. Just FYI in case you are struggling.
[Deleted User] <[Deleted User]>
gcloud builds submit --tag
Make sure to create the "logs" folder (or any other folder name, it won't work in the root bucket).
ma...@gmail.com
sc...@gmail.com
[Deleted User] <[Deleted User]>
ha...@gmail.com
da...@globekeeper.com
ja...@jet2.com
[Deleted User] <[Deleted User]>
re...@gmail.com
na...@valorise.ai
+1
mi...@google.com
+1
ja...@howwe.io
Same here. Would be very common for us to have devs only be able to view Cloud Build builds and their logs, nothing else. The "workaround" we have to use now is that every time any of them need to view the build log they have to ping a dev that has the Project Viewer role (now called Basic Viewer I believe).
We really try hard to give a minimal set of permissions to each individual.
pr...@hawkfish.us
There's a workaround now I think. Create a separate logs bucket and peel the cloud build logs from whatever pipelines you want the devs to see. Then grant the devs group Logs Viewer but have an IAM condition that ensures they only get the grant for the bucket you made for them. Obviously not the best user experience but it's better than the alternatives.
rm...@google.com
We've found a workaround, which is to create a new custom role, and add
cloudbuild.builds.get
cloudbuild.builds.list
cloudconfig.configs.get
remotebuildexecution.blobs.get
resourcemanager.projects.get
ja...@howwe.io
The difference between the standard role Cloud Build Viewer and the custom role would be that the custom role would include the permission resourcemanager.projects.list that Cloud Build Viewer does not contain and Cloud Build viewer has the extra permission cloudconfig.configs.get.
[Deleted User] <[Deleted User]>
dz...@google.com
What's the official recommendation for how to deal with this?
jo...@tab32.com
Assuming +1 is the preferred voting mechanism
xi...@google.com
bm...@incyan.com
ni...@4sh.fr
ma...@timeisltd.com
[Deleted User] <[Deleted User]>
av...@questrade.com
er...@retailnext.net
It would be just fine if the Logs Viewer role was enough to make the log-related functions of the Cloud Build UI work as expected.
As an end user, I don't actually care about the Logs Viewer role somehow granting access to the cloud storage bucket because don't care whether the logs go into cloud storage or something else. It would be fine if they go into only Google Cloud Logging, or into something else entirely, as long as I'm able to access them via some reasonable way. (Granting a project-level Cloud Storage role is not reasonable.)
What I actually need/want is that as someone with Logs Viewer but without any Cloud Storage roles, all of the following work:
- See streaming logs in the CLI from a
gcloud builds submit... - See streaming logs in the Cloud Build UI
- See task-specific logs in the Cloud Build UI
- Download the logs for a build from the Cloud Build UI
hi...@textea.co
an...@current.com
ba...@google.com
ku...@google.com
ba...@google.com
ma...@gmail.com
It's been years since I've had this problem (because I stopped using the product), but out of pure masochism, I still get these emails, just to wonder if this will ever be fixed, and ponder how Google manages to be so unable to fix the seemingly basic issue.
ba...@google.com
gh...@google.com
Hi,
We received update from team,
It is allowed to store Build Logs in Cloud Logging where it would be visible to users with Logs Viewer permissions according to
Any further updates on this will be communicated here.
Thank you for your trust and continued support to improve Google Cloud Platform.
Description
- Logs are only visible for the member with role: project/Viewer
- For any other configuration it is failing to show logs with UI information: Logs unavailable
- In the documentation of gsutil builds submit [1],'--gcs-log-dir=GCS_LOG_DIR', "A directory in Google Cloud Storage to hold build logs. If this field is not set, gs://[PROJECT_NUMBER].
Request:
- Make possible to view Cloud Build log file stored in bucket with more gradual role, for example: Logs Viewer
Justification:
- Customer have a need to give various users Project Viewer access simply because them to be able to conveniently view the complete log files of the builds they triggered.
Attachments:
[1]: