I have a problem on a GCP Project
I Added IAP on the app. I allowed every user on the professional google domain.
I found that IAP was not a good solution. I finally removed IAP from the project. I un-toggled the functionality. And I removed the roles/members.
Now all the project crashes :
Cloud Build return that error when I Tried to deploy my services by triggers
"ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as 'ID#appspot.gserviceaccount.com'"
When I launch an http request to a service, the service doesn't create an instance.
I have that error "Waiting for network connection open. Subject:"app/invalid" Address:127.0.0.1:8080"
The account "ID#appspot.gserviceaccount.com" has an owner role.
I already checked the IAM roles it not seems to have one missing, I've checked with other projects, it seems good.
It's not the code of the app cause I tried in my laptop in local and the services works perfectly.
I've deployed my services with gcloud command, but the services are unreachable I have errors 500 cause my apps doesn't deploy.
I don't know which role I have to change in IAM to fix all the app.
This error means that Cloud Build service account can't act on behalf of App Engine service account. You can add this permission in Console-> Cloud Build-> settings enabling service account user role. There should have been some change recently that enabled this requirement for App Engine deployments.
Related
$ gcloud app deploy MY.yaml --image-url gcr.io/vorburger-learn-appengin/image:develop
causes the following error for me:
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Request to https://compute.googleapis.com/compute/v1/projects/projects/vorburger-learn-appengin/regions/europe-west1?key failed, details: Required 'compute.regions.get' permission for 'projects/vorburger-learn-appengin/regions/europe-west1'
I'm simply running gcloud locally after gcloud init for my #gmail.com account, who has the omnipotent IAM Owner role on that GCP project. So it's not clear to me just which IAM Principal is missing the compute.regions.get permission?
This is on a project where it used to work last year and stopped working 2 months ago. Maybe I deleted something by mistake? Things I've tried out so far:
gcloud services enable appengineflex.googleapis.com mentioned here
Verified #cloudservices.gserviceaccount.com Google APIs Service Agent exists and has the Editor role mentioned here
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Background: https://github.com/vorburger/www.fineract.dev/issues/15
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Yes, you have to undelete the service account. However, the undelete command only works for Service Accounts deleted fewer than 30 days ago.
After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals.
Additionally, you did not mention the App Engine default service account if it was also accidentally deleted. If yes, you would also need to undelete this.
Warning: Deleting the App Engine default service account breaks any current and future App Engine applications in your Cloud project. For example, your application will lose access to other Google Cloud services such as Datastore. If needed, you can restore a deleted default service account.
I have GO application and tried to deploy it to the google app engine with google command line sdk from a local machine with a custom service account.
I create a custom service account with roles:
App Engine Admin
Cloud Build Service Account
Cloud Build Service
Agent Serverless VPC Access User
And authorized locally with this account:
gcloud auth activate-service-account account_name#project-name.iam.gserviceaccount.com --key-file=key.json
Also, I configure the service account in my app.yaml:
service_account: account_name#project-name.iam.gserviceaccount.com
But when i try to deploy
gcloud app deploy -v 1
I get the error:
Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Operation is not allowed. The "vpcaccess.connectors.use" permission is required.
I can not understand why vpcaccess.connectors.use permission still required even I have Serverless VPC Access User role? I found the role on this google docs page
Maybe someone has met with a similar difficulty? Please help me)
UPD even i give Owner role i steel have the error
One way to fix this error is by removing vpc_access_connector: configuration from app.yaml
If you need vpc_access_connector configured, add
Serverless VPC Access User and Compute Viewer IAM roles to the service account doing the deployment.
Also, the vpc_access_connector in app.yaml must refer to one that exists in the same project or you will still get this error.
vpc_access_connector:
name: projects/my-project-id/locations/the-zone/connectors/my-connector-name
Ok i fix this error by removing vpc_access_connector: configuration from app.yaml
UPD
But if you need to configure vpc_access_connector you need to add
Serverless VPC Access User and Compute Viewer IAM roles and all must work fine.
I have a Python Streamlit app hosted in GCP via App Engine. Following this tutorial, I added an Idenity-Aware Proxy to secure the app.
The IAP is activated and the OAuth consent screen it set to internal.
In the IAP settings, I added myself and a fellow both with the "IAP-secured Web App User"-role.
While I can access the app after login with my associated google account, he gets and "Error 403: org_internal" error when login within his associated google account.
What I already tried:
Setting the OAuth consent screen to external (test mode) and added both of us
Adding him to our GCP organization
None of both approached worked. He just can't access the app after all.
Any ideas what I am doing wrong?
I have setup a compute engine instance for centralised maintenance and updating of App Engine Flex instances. One reason for this is to keep the database and other credentials inside the Google Project and not to store them on local development machines.
When I am trying to flex deploy with
gcloud app deploy
I get an error
ERROR: (gcloud.beta.app.deploy) Permissions error fetching application [<project here>]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Service account is default compute engine account and I have enabled Editor role for it in the IAM. I also tried enabling all App Engine roles but it did not change the situation.
Is there a way to make deployments from Compute Engine and if so what would be the correct credentials or am I missing some steps here?
I created a new Compute Engine Instance and tried issuing the same command as you are running. I also encountered the same issue. Here is how I've managed to resolve it.
1) Stop the instance
2) Navigate to IAM > Service Accounts > Create Service Account
3) Create a new service account and ensure you add roles for 'App Engine Admin'or 'App Engine Deployer' in addition to 'Storage Admin', 'Project Editor' and 'Cloud Container Builder Editor' to the service account. So in total you should have a minimum of 4 roles assigned to the service account, plus any other roles you think you may need for your application.
4) Edit the stopped instance (from step 1) and change the service account to the new service account you created.
When you restart the instance you should now have the correct permissions/roles to deploy your App Engine Flex App from the instance.
There was an authorisation issue because the Compute Engine default service account isn't assigned the roles required for deploying applications to App Engine flex, as various APIs are utilised in this process. By assigning the roles required for App Engine Flex deployments to a new service account, and then adding the service account to the instance, the instance then has the required authorisation to interact with other GCP APIs needed for App Engine Flex deployments.
I would like to run a scheduled task on-demand in my production appspot. Unlike development, there is no "run this task" button that I can click. When I try to go to the URL directly, I get a 500 error. The logs say this:
Authentication for the Google Apps domain webfilings.com can only be
performed when requests are served from a subdomain of that domain or
it has been approved through the Google Apps Control Panel
I have verified that I am logged in and that I am an owner of this appspot.
I also tried running the task via the remote api tool but this doesn't work either.
Sorry, there is currently no "Run Now" button for Cron tasks. This is a reasonable feature request if you would like to file it.
The authentication error is due to how your application is configured.
This will happen if you have set the Authentication Type (when creating an app or in the application settings) to Google Apps Domain. This causes the app to require that all login be done using an account managed by that domain, but also requires that the domain administrator configure the applicaiton in the Google Apps control panel.
You (or your domain adminstrator) can do this by going to the application settings for the application on appengine.google.com and clicking Add Domain. You can also reset the Authentication Type to Google Accounts API which will allow all accounts.
https://developers.google.com/appengine/articles/auth has more information, though it's now permitted to change authentication types under certain conditions.