I want to deploy an API to app engine But it ends up using the wrong service account.
I use these 3 cmd lines in gitlab:
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud config set account NameOfServiceAccount.com
- gcloud app deploy
What I get is
target service account: [App Engine default service account]
Do you want to continue (Y/n)?
Beginning deployment of service [lettering-back]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 2 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as
To deploy new versions, a member must have the Service Account User
(roles/iam.serviceAccountUser) role on the App Engine default service
account, and the Cloud Build Editor (roles/cloudbuild.builds.editor)
and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on
the project.
More specifically for your error message you gonna need roles/iam.serviceAccountUser on your service account whose key is the one you placed at /tmp/$CI_PIPELINE_ID.json
Reference : the first table row at https://cloud.google.com/appengine/docs/standard/python/roles#predefined_roles
Related
When I try to follow the example here: https://cloud.google.com/appengine/docs/flexible/python/quickstart,
gcloud app deploy
gives me the below error:
ERROR: (gcloud.app.deploy) HTTPError 403: *account1* does not have storage.objects.get access to the Google Cloud Storage object.
However, the account: account1 is the owner of the particular project. So why an ower does not have the storage.objects.get access here?
The problem is resolved by adding Storage Object Admin role to the account.
Try waiting a bit and re-run "gcloud app deploy". I had the same problem with a different example app. Build and deploy a C# .NET Core service I believe it's a timing issue during the build process.
I have set up a Node.js server in Google Cloud Platform App Engine, and have also configured a custom domain, which is correctly configured and has a SSL cert.
However, I can't figure out how to actually serve through the domain.
In the GCP terminal, run this command:
gcloud app deploy
Since the server is already set up and working and the domain is already configured, that command is all that's needed to deploy.
I am running Jenkins locally on Windows 10 and am having a tough time getting it to deploy to Google App Engine (Standard) with a service account. Here is what I've done so far:
Created a new service account called jenkins#PROJECT-ID.iam.gserviceaccount.com
Given that service account these permissions:
App Engine Deployer
App Engine Service Admin
Cloud Build Service Account
Cloud Build Service Agent (not sure if necessary)
Storage Admin
Downloaded the service account json key, placed it in my Documents folder
Then I used the following commands after my project builds using Node.js:
gcloud auth activate-service-account --key-file %USERPROFILE%\Documents\PROJECT\jenkins-local-sa.json
gcloud config set project PROJECT-ID
gcloud app deploy app.yaml
Then I'm hit with this error:
(gcloud.app.deploy) Error Response: [13] Failed to create cloud build: cloudbuild service account doesn't have access to projectID "PROJECT-ID".
I've seen plenty of other errors in my Google search but not this one specifically. Has anyone run across this error?
You need to enable service account user permission in cloud build settings !
I'm trying to deploy an application, but gcloud informs me that I don't have permissions, even though I am the main user of the account with the Owner rule, see: Deploy console
My gcloud auth list:
Credentialed Accounts
ACTIVE ACCOUNT
* hi#myemail.com
myproject#appspot.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
My gcloud init (default project is ok):
Welcome! This command will take you through the configuration of gcloud.
Settings from your current configuration [myproject] are:
core:
account: hi#myemail.com
disable_usage_reporting: 'False'
project: myproject
Pick configuration to use:
[1] Re-initialize this configuration [myproject] with new settings
[2] Create a new configuration
My IAM & Admin Permissions for project "myproject": IAM List
How to solve this problem? It is the only project in my account.
I think the issue is because you're trying to overwrite a deploy with version 2 that is stopped.
The message is very clear in your first image.
Traffic cannot be allocated to stopped version 2. Please ensure that traffic is only allocated to serving versions.
I'll suggest to check that the deployment in App Engine with version 2 is not stopped or deploy to a new version, for example just to test:
gcloud app deploy site.yaml --version=5165165
I want to deploy my app via google service account. I am using the test-version of googlecloud with billing enabled. I granted the following permissions to my service account:
App Engine Administrator
App Engine Deployer
App Engine Service Administrator
Cloud Build Service Account
Cloud Build Editor
Storage Administrator
When I try to login via keyfile with gcloud auth activate-service-account --key-file file.json and then trying to deploy the app with the service account with the following command: gcloud --quiet --project projecid app deploy app.yaml I get the following error:
(gcloud.app.deploy) Permissions error fetching application [apps/projectid]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Also I might have to say, that I am using a account ID which was used before.
Do you guys have an idea what I could do? It works, when I deploy it with my normal google account and a normal login. But I need that because of gitlab-ci
I have tried to reproduce your situation by creating a new service account and giving it the roles you listed. I have authorized access to GCP with its key using the gcloud auth activate-service-account --key-file=<KEY-FILE> command but the deployment has been successful for me.
Run the gcloud auth list command to make sure you're authorized with the correct service account. Also you can try adding the --verbosity=debug flag to the deployment command to see if you can find anything useful in the error logs if the error occurs.
From the error description, however, it seems that you might also have passed an incorrect project ID when deploying the application:
gcloud --quiet --project projecid app deploy app.yaml
- make sure it is not the case.