$ gcloud app deploy MY.yaml --image-url gcr.io/vorburger-learn-appengin/image:develop
causes the following error for me:
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Request to https://compute.googleapis.com/compute/v1/projects/projects/vorburger-learn-appengin/regions/europe-west1?key failed, details: Required 'compute.regions.get' permission for 'projects/vorburger-learn-appengin/regions/europe-west1'
I'm simply running gcloud locally after gcloud init for my #gmail.com account, who has the omnipotent IAM Owner role on that GCP project. So it's not clear to me just which IAM Principal is missing the compute.regions.get permission?
This is on a project where it used to work last year and stopped working 2 months ago. Maybe I deleted something by mistake? Things I've tried out so far:
gcloud services enable appengineflex.googleapis.com mentioned here
Verified #cloudservices.gserviceaccount.com Google APIs Service Agent exists and has the Editor role mentioned here
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Background: https://github.com/vorburger/www.fineract.dev/issues/15
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Yes, you have to undelete the service account. However, the undelete command only works for Service Accounts deleted fewer than 30 days ago.
After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals.
Additionally, you did not mention the App Engine default service account if it was also accidentally deleted. If yes, you would also need to undelete this.
Warning: Deleting the App Engine default service account breaks any current and future App Engine applications in your Cloud project. For example, your application will lose access to other Google Cloud services such as Datastore. If needed, you can restore a deleted default service account.
Related
I have GO application and tried to deploy it to the google app engine with google command line sdk from a local machine with a custom service account.
I create a custom service account with roles:
App Engine Admin
Cloud Build Service Account
Cloud Build Service
Agent Serverless VPC Access User
And authorized locally with this account:
gcloud auth activate-service-account account_name#project-name.iam.gserviceaccount.com --key-file=key.json
Also, I configure the service account in my app.yaml:
service_account: account_name#project-name.iam.gserviceaccount.com
But when i try to deploy
gcloud app deploy -v 1
I get the error:
Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Operation is not allowed. The "vpcaccess.connectors.use" permission is required.
I can not understand why vpcaccess.connectors.use permission still required even I have Serverless VPC Access User role? I found the role on this google docs page
Maybe someone has met with a similar difficulty? Please help me)
UPD even i give Owner role i steel have the error
One way to fix this error is by removing vpc_access_connector: configuration from app.yaml
If you need vpc_access_connector configured, add
Serverless VPC Access User and Compute Viewer IAM roles to the service account doing the deployment.
Also, the vpc_access_connector in app.yaml must refer to one that exists in the same project or you will still get this error.
vpc_access_connector:
name: projects/my-project-id/locations/the-zone/connectors/my-connector-name
Ok i fix this error by removing vpc_access_connector: configuration from app.yaml
UPD
But if you need to configure vpc_access_connector you need to add
Serverless VPC Access User and Compute Viewer IAM roles and all must work fine.
I have a problem on a GCP Project
I Added IAP on the app. I allowed every user on the professional google domain.
I found that IAP was not a good solution. I finally removed IAP from the project. I un-toggled the functionality. And I removed the roles/members.
Now all the project crashes :
Cloud Build return that error when I Tried to deploy my services by triggers
"ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as 'ID#appspot.gserviceaccount.com'"
When I launch an http request to a service, the service doesn't create an instance.
I have that error "Waiting for network connection open. Subject:"app/invalid" Address:127.0.0.1:8080"
The account "ID#appspot.gserviceaccount.com" has an owner role.
I already checked the IAM roles it not seems to have one missing, I've checked with other projects, it seems good.
It's not the code of the app cause I tried in my laptop in local and the services works perfectly.
I've deployed my services with gcloud command, but the services are unreachable I have errors 500 cause my apps doesn't deploy.
I don't know which role I have to change in IAM to fix all the app.
This error means that Cloud Build service account can't act on behalf of App Engine service account. You can add this permission in Console-> Cloud Build-> settings enabling service account user role. There should have been some change recently that enabled this requirement for App Engine deployments.
This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.
The error was as follows:
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]#appspot.gserviceaccount.com'
Step #4: - '#type': type.googleapis.com/google.rpc.ResourceInfo
Step #4: description: You do not have permission to act as this service account.
Step #4: resourceName: [redacted]#appspot.gserviceaccount.com
Step #4: resourceType: serviceAccount
When I look at https://console.cloud.google.com/cloud-build/settings/service-account
Cloud build has the follow service account permissions ENABLED:
App Engine Admin
Cloud KMS
Checking https://console.cloud.google.com/iam-admin/iam
I can see that the cloudbuild service account has the following roles:
App Engine Admin
App Engine Deployer
Cloud Build Service Account
Cloud KMS CryptoKey Decrypter
According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.
PROJECT_ID=xxxxxx
PROJECT_NUMBER=$(gcloud projects list \
--format="value(projectNumber)" \
--filter="projectId=${PROJECT_ID}")
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT_ID}#appspot.gserviceaccount.com \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT_ID}
To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUser role. Updated Google documentation can be found here.
I had the same issue. For me I had to add the Service Account User role to my circle ci user in IAM. Maybe you can do the same for cloudbuild.
First we go to the permission manager and select the project that we want to add permissions.; https://console.cloud.google.com/iam-admin/
I grant Service Account User permission to my CI/CD service account. That works.
Screenshot of IAM
Screenshot of my Gitlab CI/CD configuration
To resolve this issue, you can add Service Account User IAM permission to your CI/CD pipeline service account.
Eg. If you're using Cloud Build, then add Service Account User role to your {project-number}#cloudbuild.gserviceaccount.com service account
It looks as though this question is answered with the .ActAs permission being added to the Gitlab or CircleCI account.
I haven't had occasion to test yet - if anyone else has and can post details - please do so;
This is the proposed answer from what I can gather:
How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account?
Nebulastic has a very nice answer above but the {PROJECT_ID} would need to be swapped with the Gitlab or CircleCI account name, not the project named account.
I have an App Engine project to which I want to add another user, so she will have access to see it and also deploy to it.
I've tried to add her in IAM but she doesn't see the project.
If you want to grant her deploy permissions, you should grant her, at least, App Engine Deployer in IAM. You may need to grant also the Storage Admin role if that person is planning on using gcloud commands, which is most likely for deployments.
I'm facing some permission problems with the google cloud. Whenever I try to setup a new app engine, I receive the following message:
You don't have permission to create an App Engine application in this project.
According to our administrator, all available app engine roles are assigned to my account.
Any ideas?
Greetings,
Sebastian
You need this permission:
appengine.applications.create
If you try to create an appit within the console:
~ $ gcloud app create
you will get exactly the this permission role missing but incredibly this permission is not assigned by default to the administrator.
Thus, either create a new Role with this permission or just add this permissions to any role you already have
You probably have an IAM role on the project that doesn't include access to App Engine.
https://cloud.google.com/iam/docs/understanding-roles
You can ask the project owner what role you have on the project (unless you are a project Owner, Editor or Viewer, in which case you can see your role on the Permissions page).
I also got this error. It seems you need to be Project Owner to be able to create App Engine applications.
You need to have the App Engine API enabled.You need to have the app engine deployer or admin role. And you need to be the project Owner, not just the project editor.
See: https://cloud.google.com/appengine/docs/admin-api/access-control
apps.create appengine.applications.create on the requested Application resource. Requires Owner role permissions on GCP project.