The deployment fails with error 403 permissions

Hey,

I’m new to travis and was recently given a task to push several container services onto cloud-run with travis which worked fine for all but one. The deployment fails with error 403 permissions, and I just dont know what to do.

$ gcloud --quiet container clusters get-credentials $CLUSTER_NAME --zone $CLOUDSDK_COMPUTE_ZONE --project $PROJECT_NAME

187Fetching cluster endpoint and auth data.

188ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required “container.clusters.get” permission(s) for “projects/kreddy-dev/zones/europe-north1-a/clusters/development”.

189The command “gcloud --quiet container clusters get-credentials $CLUSTER_NAME --zone $CLOUDSDK_COMPUTE_ZONE --project $PROJECT_NAME” failed and exited with 1 during .

190

191Your build has been stopped.

Thank you ahead of time for any help or suggestions.

Hello @ErikSandstrom,

It’s hard to tell what’s happening without me getting a look at your .travis.yml. It’s probably something to do with environment variables you need if I had to guess.

group: schibsted

# Use go environment

language: minimal


# Cache Gcloud SDK between commands

cache:

  directories:

    - "$HOME/google-cloud-sdk/"


# Install services

services:

  - docker


# Set env vars

env:

  global:

    - GOOGLE_APPLICATION_CREDENTIALS=~/gcloud-service-key.json


branches:

  only:

    - develop

    - master

    # Ruby regex to match tags. Required, or travis won't trigger deploys when

    # a new tag is pushed. Version tags should be of the form: v0.1.0

    - /^v\d+\.\d+\.\d+.*$/


# Runs the unit tests.

_unit_tests: &unit_tests

  language: go

  go:

    - 1.17.x

  install: skip

  before_install:

    - echo -e "machine github.schibsted.io\n login $CI_USER_TOKEN" > ~/.netrc

  env: GO111MODULE=on

  script: make test


# Publish & Deploy production

_deploy-app: &deploy-app

  stage: Deploy

  before_install:

    - if [ ! -d "$HOME/google-cloud-sdk/bin" ]; then rm -rf $HOME/google-cloud-sdk; export CLOUDSDK_CORE_DISABLE_PROMPTS=1; curl https://sdk.cloud.google.com | bash; fi

    - source /home/travis/google-cloud-sdk/path.bash.inc

    - gcloud --quiet version

    - gcloud --quiet components update

    - gcloud --quiet components update kubectl

    - echo $GCLOUD_SERVICE_KEY | base64 --decode -i > ${HOME}/gcloud-service-key.json

    - gcloud auth activate-service-account --key-file ${HOME}/gcloud-service-key.json

    - gcloud --quiet auth configure-docker

  install:

    - gcloud --quiet container clusters get-credentials $CLUSTER_NAME --region $CLOUDSDK_COMPUTE_REGION --project $PROJECT_NAME

  env:

    - DOCKER_IMAGE_VERSION=$TRAVIS_TAG # Set the docker image version to $TRAVIS_TAG

    - DOCKER_IMAGE_TAG=latest # Set the additional tag for the image

  script: chmod +x ./scripts/deploy.sh && ./scripts/deploy.sh


jobs:

  include:

    # Run unit tests

    - <<: *unit_tests


    # Publish & Deploy to production

    - if: (tag IS present)

      name: "Build & Deploy production"

      <<: *deploy-app


    # Publish & Deploy to stage

    - if: (type = push AND branch IN (master))

      name: "Build & Deploy stage"

      <<: *deploy-app

      # Override the container

      install: gcloud --quiet container clusters get-credentials $CLUSTER_NAME --zone $CLOUDSDK_COMPUTE_ZONE --project $PROJECT_NAME

      # Override environmental variables

      env:

        - PROJECT_NAME=$DEV_PROJECT_NAME # Override project name

        - CLUSTER_NAME=$DEV_CLUSTER_NAME # Override cluster name

        - CLOUDSDK_COMPUTE_ZONE=$DEV_CLOUDSDK_COMPUTE_ZONE # Override compute zone

        - GCLOUD_SERVICE_KEY=$DEV_GCLOUD_SERVICE_KEY # Override service account key

        - DOCKER_IMAGE_VERSION=$TRAVIS_COMMIT # Set the docker image version to TRAVIS_COMMIT

        - DOCKER_IMAGE_TAG=latest # Set the additional tag for the image

        - AUTO_DEPLOY=$STAGE_AUTO_DEPLOY # Set auto deploy to true or false


    # Publish & Deploy development

    - if: (type = push AND branch IN (develop))

      name: "Build & Deploy to development"

      <<: *deploy-app

      # Override the container

      install: gcloud --quiet container clusters get-credentials $CLUSTER_NAME --zone $CLOUDSDK_COMPUTE_ZONE --project $PROJECT_NAME

      # Override environmental variables

      env:

        - PROJECT_NAME=$DEV_PROJECT_NAME # Override project name

        - CLUSTER_NAME=$DEV_CLUSTER_NAME # Override cluster name

        - CLOUDSDK_COMPUTE_ZONE=$DEV_CLOUDSDK_COMPUTE_ZONE # Override compute zone

        - GCLOUD_SERVICE_KEY=$DEV_GCLOUD_SERVICE_KEY # Override service account key

        - DOCKER_IMAGE_VERSION=$TRAVIS_COMMIT # Set the docker image version to TRAVIS_COMMIT

        - DOCKER_IMAGE_TAG=development # Set the additional tag for the image

        - AUTO_DEPLOY=$DEV_AUTO_DEPLOY # Set auto deploy to true or false

Above is the requested travis.yaml, oddly enough it is near identical to the other services that worked. The go version was go: - 1.18.x. instead for the others.

Hi Erik,

Can I get the build link?

Hey Montana,

Im not really sure what you mean by build link, do you mean the full build log or a link to the travis project? Since I’m quite new to travis I’m still not sure about proper security protocols over handing out links to projects.

Thanks you for your support.

Hi Erik,

Is the repository private?

Hey,

Yes the repo is private.

Hey,

sorry for the slow update but the problem has been solved now. The issue was the GCLOUD_SERVICE_KEY was incorrect which was difficult to test since all the projects apart from this one used the same correct one.

Thanks for support