I'm trying to download the source code for my project running on app engine by following https://cloud.google.com/appengine/docs/standard/python/tools/downloading-source-code, but I keep getting permission denied. I am logged in as the owner of the project.
Related
I deployed logging.v2.sink using Google Cloud Deployment Manager, however the deployment was failed by permission denied.
The problem was also happened in this logsink example of Google Cloud Deployment Manager.
The result is following:
- code: RESOURCE_ERROR
location: /deployments/my-project-id/resources/sink
message:
{
"ResourceType": "logging.v2.sink",
"ResourceErrorCode": "403",
"ResourceErrorMessage": {
"code": 403,
"message": "The\n caller does not have permission",
"status": "PERMISSION_DENIED",
"statusMessage": "Forbidden",
"requestPath": "https://logging.googleapis.com/v2/projects/my-project-id/sinks",
"httpMethod": "POST"
}
}
The deployment was executed by owner role, moreover I can create logging sink using cli.
gcloud installed in local is newest (v217.0.0).
Why does this problem happen?
I misunderstood permissions of cloud deployment manager.
I noticed that the accounts of deploying template and creating resources are different(https://cloud.google.com/deployment-manager/docs/access-control).
When I add the Logging Admin role to the service account, deployment succeeds.
[PROJECT_NUMBER]#cloudservices.gserviceaccount.com
Ran into the same problem. Elaborating the answer above:
Deployment manager uses [PROJECT_NUMBER]#cloudservices.gserviceaccount.com to create resources on your behalf. You can check the policy binding for this service account:
gcloud projects get-iam-policy [PROJECT_NUMBER]
This service account has roles/editor on the project by default, which has the following policies for logging sinks:
- logging.sinks.get
- logging.sinks.list
You can confirm this using this command:
gcloud iam roles describe roles/editor
roles/logging.configWriter has logging.sinks.{list, create, get, update, delete} permissions, so you can add a new policy binding to your project and then retry:
gcloud projects add-iam-policy-binding secstate-gcp-test02 \
--member serviceAccount:[PROJECT_ID]#cloudservices.gserviceaccount.com \
--role roles/logging.configWriter
I am attempting to deploy a cron.yaml file with gcloud app deploy with a service account that has the "GAE admin" role on my project.
It is apparently not sufficient to update my cron config. It seems I need to give the service account the "project editor" role to continue.
The error I got was:
ERROR: (gcloud.app.deploy) Server responded with code [403]:
Forbidden Unexpected HTTP status 403.
You do not have permission to modify this app
Is there a way to update cron.yaml without requiring the "project editor" role.
As documented here, to deploy cron.yaml, you need the "Cloud Scheduler > Cloud Scheduler Admin role".
I following the google cloud console right side tutorial to deploy a ruby project, after clone the demo source code the try to using command gcloud app deploy --project fireflywytwyt to deploy, it throw following error to me(Unnecessary logs is omitted):
...
8820c09c846d: Image already exists
64fc2a97cff9: Image already exists
43f58141118b: Image already exists
575d6bde5efe: Image already exists
272ffca85019: Image already exists
90a62e26e551: Image already exists
a51047f764d0: Image already exists
2c8496abe349: Image already exists
6e04b82f3d6e: Image already exists
latest: digest: sha256:406115ccfa93d7cef120b2683f75c9f5b3821d8a11b8afbca7781240c293313e size: 72372
DONE
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Updating service [default]...failed.
ERROR: (gcloud.app.deploy) Error Response: [7] The user fireflywytwyt#appspot.gserviceaccount.com must have permission to read the image at us.gcr.io/fireflywytwyt/appengine/def
ault.20161124t144728:latest
Please notice the error:
The user fireflywytwyt#appspot.gserviceaccount.com must have permission to read the image at us.gcr.io/fireflywytwyt/appengine/def
It seems my account cannot access the docker registry, how to fix that?
You need to give the service user (in your case fireflywytwyt#appspot.gserviceaccount.com ) Editor role. To do this
Open the IAM & Admin page in the Cloud Platform Console.
Select your project and click Continue.
Click Add member.
Enter the email address of the service account, select an Editor role and click Add.
Give your Service Account appropriate permissions:
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member serviceAccount:codelab#${PROJECT_ID}.iam.gserviceaccount.com \
--role roles/owner
I am trying to connect Google Container Engine from my local machine using gcloud sdk but i am getting below error.
C:\Program Files (x86)\Google\Cloud SDK>gcloud container clusters get-credential
s cluster-2 --zone us-central1-a --project myapp-00000
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) environment variable HOME or
KUBECONFIG must be set to store credentials for kubectl
I have check at HOME location there is not .kube folder created and not environment variable set by default, so i have created KUBECONFIG environment by myself after that i am getting below error :-
ERROR: gcloud crashed (OSError): [Errno 13] Permission denied: 'C:\\Tool\\config'
i have started gcloud sdk as admin and it have all the correct Permission.
EDIT
I am using below version (which are latest as of today)
Google Cloud SDK 129.0.0
kubectl
kubectl-windows-x86_64 1.4.0
C:\Program Files (x86)\Google\Cloud SDK>kubectl version
Client Version: version.Info{Major:"1", Minor:"4", GitVersion:"v1.4.0",
I take it you set KUBECONFIG env to 'C:\Tool\config'? That error is gcloud failing to write due to missing admin privileges; I don't know if you need to run the shell as admin. You might also try the HOME directory. Note that gcloud will attempt to create any missing directories on the path to the kubeconfig file.
I had the same issue.
It turns out that KUBECONFIG refers to a file and not to a directory.
So if you set up KUBECONFIG to 'C:\Tool\config\kubectl.cfg' it should work fine.
Whenever I try to deploy my app (a proxy) it returns this message:
C:\Python27\pythonw.exe: can't open file 'C:\Program Files\Google\google_appengine\appcfg.py': [Errno 2] No such file or directory
2013-12-05 00:16:31 (Process exited with code 2)
I've checked it a thousand times and both the app in the engine and the title of the project on my app engine account page, have the same server name. I set the preferences correctly, yet the error is always that the file doesn't exist.
The error is saying the program appcfg which does the deployment doesnt exist.
Something about you SDK environment is wrong. Have a look and see if you can find appcfg.py in the patgh in the error message, and check where your SDK is currently installed.