You want to make sure that the Google Cloud build service account that is used by the service itself has the "Cloud Build Service Account" IAM role. No idea why Google made this required role something that the service account can be removed from. But I just ran across this issue when doing work using the terraform google_project_iam_binding resource.

Quick way to manually add this:

• Get the project number. For instance via gcloud projects list

• Go into the GCP console

• Go into IAM

• Ensure you are on the project with the issue

• Select: Grant Access

• Principal: PROJECT#@cloudbuild.gserviceaccount.com

• Role: Cloud Build Service Account

Note, the role that is actually given is "roles/cloudbuild.builds.builder". And the service account isn't something that shows in the Google Cloud console by default.