'How to get Google Cloud Build working inside VPC Perimeter?

I have a question that is confusing me a little. I have a project locked down at the org level through a perimeter fence. This is to whitelist ip ranges to access a cloud storage bucket as the user has no ability to authenticate through service accounts or api's and requires a streaming of data.

This is fine and working however I am confused about how to open up access to serverless enviroments aswell inside gcp. The issue in question is cloud build. Since introduction of the perimeter I can no longer run cloud build due to violation of vpc controls. Wondering can anyone point me in the direction of how to enable this as obviously white listing the entire cloud build ip range is not an option?

google-cloud-platformterraformvpcgoogle-cloud-build


Solution 1:[1]

Hi all so the answer is this.

What you want to do is set up one project that is locked down by vpc and has no api's available for ingestion of the ip white listed storage bucket. Then you create a 2nd project that has a vpc but does not disable cloud storage api's etc. Now from here you can read directly from the ip whitelisted cloud storage bucket in the other project.

Hope this makes sense as I wanted to share back to the awesome guys above who put me on the right track.

Thanks again

Solution 2:[2]

You want to create a Perimeter Bridge between the resources that you want to be able to access each other. You can do this in the console or using gcloud as noted in the docs that I linked.

Solution 3:[3]

The official documentation mention that if you use VPC service controls, some services are not supported, for example, Cloud Build, for this reason the problem started right after you deployed the perimeter.

Solution 4:[4]

Cloud Build is now supported by VPC Service Controls VPC Supported products and limitations

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Seamus O'Connor
Solution 2 Travis Webb
Solution 3 Jan Hernandez
Solution 4 paulina moreno

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project