Can't get my cloud run function w/EventArc trigger to deploy

I want to use a Cloud Run Function with an event trigger on a GCS bucket – when new items come into the bucket, I need to process them.

In order to get perms set up, I’m trying to just deploy the sample Cloud Run Function provided by GCP docs – the one that you get if you use the console to set this up. We’ve iteratively applied perms but now are blocked with an error that doesn’t tell us what perms are missing. So we don’t know how to proceed.

We are using our default compute service account. xxxxxx-compute@developer.gserviceaccount.com
We’ve applied all the perms that have been asked for so far, most recently the Cloud Build perms.

When I try to create this in the console, there aren’t any errors anymore up until when it suggests testing the function. This opens the shell and I get this error:

Error: Command failed: cd /gcf-working-dir/function-sources && pack build gcf-ui-function --builder gcr.io/gae-runtimes/buildpacks/google-gae-22/python/builder --pull-policy if-not-present --env GOOGLE_FUNCTION_TARGET=hello_gcs --env GOOGLE_FUNCTION_SIGNATURE_TYPE=cloudevent --env GOOGLE_DEVMODE=1 --env GOOGLE_RUNTIME_VERSION=3.12
ERROR: failed to build: failed to fetch builder image 'gcr.io/gae-runtimes/buildpacks/google-gae-22/python/builder:latest': image 'gcr.io/gae-runtimes/buildpacks/google-gae-22/python/builder:latest' does not exist on the daemon: not found

If I try to deploy via the cli I get

ERROR: (gcloud.functions.deploy) ResponseError: status=[400], code=[Ok], message=[Validation failed for trigger projects/REDACTED/locations/us-east4/triggers/contact-a-rep-poc-function-058052: The request was invalid: invalid service account REDACTED-compute@developer.gserviceaccount.com provided]

I looked in the Log Explorer and could find no additional log errors that would explain why it thinks our service account is invalid. This is ONLY when I choose Python as the runtime (any version of Python).

In the console, Node.js is the default and if I leave that, it all builds and runs fine in the console, but I still can’t deploy without the “service account invalid” error.

We gave our service account access: roles/artifactregistry.admin. So it should be able to pull an image.

Ideas?

I got the same problem and would appreciate any suggestion too.

We finally got this working on Friday after iterating for 4 hours on perms. We gave up using the default compute service account and created a separate service account for the event trigger.
We added roles for
Cloud Build Service Account
Cloud Run Admin
Cloud Functions Admin
EventArc Event Receiver
Storage Object Admin
Artifact Registry Administrator

and then set that on the flag for --build-service-account and --trigger-service-account on the gcloud functions deploy command line.

So far so good, and it triggers as expected.

please can you help me out with similar problem. “App Engine default service account” with the email xxxxx@appspot.gserviceaccount.com is missing from my “API & Services” and is preventing your Firebase Functions deployments. I’m stuck. Please help me out