I want to deploy my app via google service account. I am using the test-version of googlecloud with billing enabled. I granted the following permissions to my service account:
App Engine Administrator
App Engine Deployer
App Engine Service Administrator
Cloud Build Service Account
Cloud Build Editor
Storage Administrator
When I try to login via keyfile with gcloud auth activate-service-account --key-file file.json and then trying to deploy the app with the service account with the following command: gcloud --quiet --project projecid app deploy app.yaml I get the following error:
(gcloud.app.deploy) Permissions error fetching application [apps/projectid]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Also I might have to say, that I am using a account ID which was used before.
Do you guys have an idea what I could do? It works, when I deploy it with my normal google account and a normal login. But I need that because of gitlab-ci
I have tried to reproduce your situation by creating a new service account and giving it the roles you listed. I have authorized access to GCP with its key using the gcloud auth activate-service-account --key-file=<KEY-FILE> command but the deployment has been successful for me.
Run the gcloud auth list command to make sure you're authorized with the correct service account. Also you can try adding the --verbosity=debug flag to the deployment command to see if you can find anything useful in the error logs if the error occurs.
From the error description, however, it seems that you might also have passed an incorrect project ID when deploying the application:
gcloud --quiet --project projecid app deploy app.yaml
- make sure it is not the case.
Related
I want to deploy an API to app engine But it ends up using the wrong service account.
I use these 3 cmd lines in gitlab:
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud config set account NameOfServiceAccount.com
- gcloud app deploy
What I get is
target service account: [App Engine default service account]
Do you want to continue (Y/n)?
Beginning deployment of service [lettering-back]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 2 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as
To deploy new versions, a member must have the Service Account User
(roles/iam.serviceAccountUser) role on the App Engine default service
account, and the Cloud Build Editor (roles/cloudbuild.builds.editor)
and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on
the project.
More specifically for your error message you gonna need roles/iam.serviceAccountUser on your service account whose key is the one you placed at /tmp/$CI_PIPELINE_ID.json
Reference : the first table row at https://cloud.google.com/appengine/docs/standard/python/roles#predefined_roles
I have set up a Node.js server in Google Cloud Platform App Engine, and have also configured a custom domain, which is correctly configured and has a SSL cert.
However, I can't figure out how to actually serve through the domain.
In the GCP terminal, run this command:
gcloud app deploy
Since the server is already set up and working and the domain is already configured, that command is all that's needed to deploy.
I am running Jenkins locally on Windows 10 and am having a tough time getting it to deploy to Google App Engine (Standard) with a service account. Here is what I've done so far:
Created a new service account called jenkins#PROJECT-ID.iam.gserviceaccount.com
Given that service account these permissions:
App Engine Deployer
App Engine Service Admin
Cloud Build Service Account
Cloud Build Service Agent (not sure if necessary)
Storage Admin
Downloaded the service account json key, placed it in my Documents folder
Then I used the following commands after my project builds using Node.js:
gcloud auth activate-service-account --key-file %USERPROFILE%\Documents\PROJECT\jenkins-local-sa.json
gcloud config set project PROJECT-ID
gcloud app deploy app.yaml
Then I'm hit with this error:
(gcloud.app.deploy) Error Response: [13] Failed to create cloud build: cloudbuild service account doesn't have access to projectID "PROJECT-ID".
I've seen plenty of other errors in my Google search but not this one specifically. Has anyone run across this error?
You need to enable service account user permission in cloud build settings !
I'm trying to deploy an application, but gcloud informs me that I don't have permissions, even though I am the main user of the account with the Owner rule, see: Deploy console
My gcloud auth list:
Credentialed Accounts
ACTIVE ACCOUNT
* hi#myemail.com
myproject#appspot.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
My gcloud init (default project is ok):
Welcome! This command will take you through the configuration of gcloud.
Settings from your current configuration [myproject] are:
core:
account: hi#myemail.com
disable_usage_reporting: 'False'
project: myproject
Pick configuration to use:
[1] Re-initialize this configuration [myproject] with new settings
[2] Create a new configuration
My IAM & Admin Permissions for project "myproject": IAM List
How to solve this problem? It is the only project in my account.
I think the issue is because you're trying to overwrite a deploy with version 2 that is stopped.
The message is very clear in your first image.
Traffic cannot be allocated to stopped version 2. Please ensure that traffic is only allocated to serving versions.
I'll suggest to check that the deployment in App Engine with version 2 is not stopped or deploy to a new version, for example just to test:
gcloud app deploy site.yaml --version=5165165
I´m trying to deploy a web application to google app engine after successful build(I´m using maven on my project) and travis-ci is asking for my password. How can I input my password or specify somewhere else?
Based on the limited information you are giving us, I am guessing this is happening during the gcloud preview app deploy call.
Typically the docker TLS Verification will need a local public key for a Cert and this requires a passcode response. This situation can be avoided by providing the cert using the travis encrypt-file api and calling gcloud auth activate-service-account during the build. see gloud cli here
Please see the travis yml here for a full example
As always, post questions either here or github for additional walk-through questions.