I have an App Engine project to which I want to add another user, so she will have access to see it and also deploy to it.
I've tried to add her in IAM but she doesn't see the project.
If you want to grant her deploy permissions, you should grant her, at least, App Engine Deployer in IAM. You may need to grant also the Storage Admin role if that person is planning on using gcloud commands, which is most likely for deployments.
Related
$ gcloud app deploy MY.yaml --image-url gcr.io/vorburger-learn-appengin/image:develop
causes the following error for me:
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Request to https://compute.googleapis.com/compute/v1/projects/projects/vorburger-learn-appengin/regions/europe-west1?key failed, details: Required 'compute.regions.get' permission for 'projects/vorburger-learn-appengin/regions/europe-west1'
I'm simply running gcloud locally after gcloud init for my #gmail.com account, who has the omnipotent IAM Owner role on that GCP project. So it's not clear to me just which IAM Principal is missing the compute.regions.get permission?
This is on a project where it used to work last year and stopped working 2 months ago. Maybe I deleted something by mistake? Things I've tried out so far:
gcloud services enable appengineflex.googleapis.com mentioned here
Verified #cloudservices.gserviceaccount.com Google APIs Service Agent exists and has the Editor role mentioned here
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Background: https://github.com/vorburger/www.fineract.dev/issues/15
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Yes, you have to undelete the service account. However, the undelete command only works for Service Accounts deleted fewer than 30 days ago.
After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals.
Additionally, you did not mention the App Engine default service account if it was also accidentally deleted. If yes, you would also need to undelete this.
Warning: Deleting the App Engine default service account breaks any current and future App Engine applications in your Cloud project. For example, your application will lose access to other Google Cloud services such as Datastore. If needed, you can restore a deleted default service account.
I have an app running on google cloud platform. I have access to lists of people (in my organisation) through Cloud IAM. I only want my app engine app to be accessible to some of these lists with them having to log on with their Google Account before being allowed in to the site (is this how Cloud IAM permissions work or is this single service sign-on?).
What kind of rules or roles do I need to set just to allow groups or lists to see and use an application?
In cloud IAM i see these potential roles related to app engine.
The 'App Engine Viewer' role has this description: "Ability to view App Engine app status.". Is this what I want?
You need to use Cloud IAP to limit users authentication to your AppEngine application.
Roles you mentioned (as AppEngine Viewer...) permits you to limit administration rights on your app: to only publish a new version, or only browse informations about your app deployment.
You can start easily with IAP with this good and official tutorial.
I'm developing an admin page for my webpage. I'm using GAE and security-constraints. I would like to know which role-name are available and how I can define which Google Accounts could access a specific page.
When using Google App Engine, these are the pre-defined roles available:
roles/appengine.appAdmin: The App Engine Admin (read/write/modify access to all the configuration and settings of the app)
roles/appengine.serviceAdmin: The App Engine Service Admin (read-only access to app configuration and settings, write/modify access to module/version-level settings, can't deploy new versions)
roles/appengine.deployer: The App Engine Deployer (read-only access to app configuration and settings, write access to create new versions only, can't modify versions except for deleting those without traffic)
roles/appengine.appViewer: The App Engine Viewer (read-only access to app configuration and settings)
roles/appengine.codeViewer: The App Engine Code Viewer (read-only access to app configuration, settings and deployed source code)
These roles are explained in more detail here.
In order to establish the permissions for accounts to access the application, Google Cloud relies on IAM (Identity and Access Management), where you can create service accounts for accessing the app (as well as define roles for project members, including service accounts and Google accounts).
There are various ways to define permissions for access control, but I would recommend using the Cloud Console for it. Inside the console, go to the IAM page and select the project you want to define access control rules. These are the operations that you can do inside the IAM page:
Add team members (Google or service accounts.
Grant them one or more roles.
Change team member's access.
Revoke access to team members.
You can check this link for further info about how to manage roles and permssions using IAM.
I'm facing some permission problems with the google cloud. Whenever I try to setup a new app engine, I receive the following message:
You don't have permission to create an App Engine application in this project.
According to our administrator, all available app engine roles are assigned to my account.
Any ideas?
Greetings,
Sebastian
You need this permission:
appengine.applications.create
If you try to create an appit within the console:
~ $ gcloud app create
you will get exactly the this permission role missing but incredibly this permission is not assigned by default to the administrator.
Thus, either create a new Role with this permission or just add this permissions to any role you already have
You probably have an IAM role on the project that doesn't include access to App Engine.
https://cloud.google.com/iam/docs/understanding-roles
You can ask the project owner what role you have on the project (unless you are a project Owner, Editor or Viewer, in which case you can see your role on the Permissions page).
I also got this error. It seems you need to be Project Owner to be able to create App Engine applications.
You need to have the App Engine API enabled.You need to have the app engine deployer or admin role. And you need to be the project Owner, not just the project editor.
See: https://cloud.google.com/appengine/docs/admin-api/access-control
apps.create appengine.applications.create on the requested Application resource. Requires Owner role permissions on GCP project.
I've got a Google App Engine project account and want to give access to a new developer who's going to help out, but I don't want him to have the account access details. How do I add him as a user so he can deploy and test code on my account (locally on his machine using the SDK and live), but not do anything I don't want him to do with the account?
I know I need to use IAM roles somehow, but does the developer already need a Google account (don't think he has one) or can I just send an invite to his existing email etc?
Many thanks,
Alex
Your developer will require a Google account, which can be a gmail account or a Google Apps account.
Check out the description of the App Engine IAM roles and then grant the appropriate access to your developer's Google account.
In your case that might be either "Editor" or "App Engine Service Admin".