What IAM role is needed to deploy `cron.yaml`? - google-app-engine

I am attempting to deploy a cron.yaml file with gcloud app deploy with a service account that has the "GAE admin" role on my project.
It is apparently not sufficient to update my cron config. It seems I need to give the service account the "project editor" role to continue.
The error I got was:
ERROR: (gcloud.app.deploy) Server responded with code [403]:
Forbidden Unexpected HTTP status 403.
You do not have permission to modify this app
Is there a way to update cron.yaml without requiring the "project editor" role.

As documented here, to deploy cron.yaml, you need the "Cloud Scheduler > Cloud Scheduler Admin role".

Related

Permission denied appcfg.py on Google Cloud

I'm trying to download the source code for my project running on app engine by following https://cloud.google.com/appengine/docs/standard/python/tools/downloading-source-code, but I keep getting permission denied. I am logged in as the owner of the project.

Google cloud deployment manager couldn't create deployment using "logging.v2.sink" by Permission Denied

I deployed logging.v2.sink using Google Cloud Deployment Manager, however the deployment was failed by permission denied.
The problem was also happened in this logsink example of Google Cloud Deployment Manager.
The result is following:
- code: RESOURCE_ERROR
location: /deployments/my-project-id/resources/sink
message:
{
"ResourceType": "logging.v2.sink",
"ResourceErrorCode": "403",
"ResourceErrorMessage": {
"code": 403,
"message": "The\n caller does not have permission",
"status": "PERMISSION_DENIED",
"statusMessage": "Forbidden",
"requestPath": "https://logging.googleapis.com/v2/projects/my-project-id/sinks",
"httpMethod": "POST"
}
}
The deployment was executed by owner role, moreover I can create logging sink using cli.
gcloud installed in local is newest (v217.0.0).
Why does this problem happen?
I misunderstood permissions of cloud deployment manager.
I noticed that the accounts of deploying template and creating resources are different(https://cloud.google.com/deployment-manager/docs/access-control).
When I add the Logging Admin role to the service account, deployment succeeds.
[PROJECT_NUMBER]#cloudservices.gserviceaccount.com
Ran into the same problem. Elaborating the answer above:
Deployment manager uses [PROJECT_NUMBER]#cloudservices.gserviceaccount.com to create resources on your behalf. You can check the policy binding for this service account:
gcloud projects get-iam-policy [PROJECT_NUMBER]
This service account has roles/editor on the project by default, which has the following policies for logging sinks:
- logging.sinks.get
- logging.sinks.list
You can confirm this using this command:
gcloud iam roles describe roles/editor
roles/logging.configWriter has logging.sinks.{list, create, get, update, delete} permissions, so you can add a new policy binding to your project and then retry:
gcloud projects add-iam-policy-binding secstate-gcp-test02 \
--member serviceAccount:[PROJECT_ID]#cloudservices.gserviceaccount.com \
--role roles/logging.configWriter

Can't download data via appcfg.py. "Application Default Credentials are not available" error

This has worked for years. Today is not working.
Running appcfg.py download_data --flags..., and cannot get properly authorized.
Ran gcloud auth login
and got back:
Saved Application Default Credentials.
You are now logged in as [correct#gmail.com].
Your current project is [correct].
but when I run appcfg.py download_data ... I get this error:
raise ApplicationDefaultCredentialsError(ADC_HELP_MSG)
oauth2client.client.ApplicationDefaultCredentialsError: The
Application Default Credentials are not available. They are available if
running in Google Compute Engine. Otherwise, the environment variable
GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file
defining the credentials. See
https://developers.google.com/accounts/docs/application-default
credentials for more information.
I updated the Google Cloud SDK, and now get a different error:
client.py:539 Attempting refresh to obtain initial access_token
client.py:797 Refreshing access_token
Error 302: --- begin server output ---
--- end server output ---
I have also set the credentials in Terminal:
set GOOGLE_APPLICATION_CREDENTIALS "https://www.myurl/credentials.json"
set CLOUDSDK_PYTHON_SITEPACKAGES 1
gcloud config set project "correct_project_name"
I have also tried setting the env_variable flag in the appcfg command:
--env_variable=GOOGLE_APPLICATION_CREDENTIALS:"https://www.myurl/credentials.json"
Seems to be a GAE bug. Removing the login:admin from the remote_api handler in app.yaml fixes it in production, but not local dev server. The 302 was telling me that the app was trying to redirect, perhaps to a Google login page. Was never seeing the prompt asking for email and password.
handlers:
- url: /remote_api
script: google.appengine.ext.remote_api.handler.application
#login: admin <-- removing admin fixes it in production
secure: always
On the dev server, removing the admin login yields this:
client.py:797 Refreshing access_token
Error 401: --- begin server output ---
You must be logged in as an administrator to access this.
--- end server output ---
Did Google change something in the --oauth2 workflow? I appear to be authorized, but the download crashes at the auth step.
Thanks.
Seems to be a bug in GoogleAppEngineLauncher-1.9.27, where it does not allow a login prompt. When reverting back to 1.9.26, it works. Interestingly, my gcloud components still have the 1.9.27 version:
>$ gcloud version
Google Cloud SDK 0.9.83
alpha 2015.10.08
app 2015.10.16
app-engine-python 1.9.27
beta 2015.10.08
core 2015.10.16
core-nix 2015.09.03
gcloud 2015.10.16
temporary solution: go to https://console.developers.google.com/storage/browser/appengine-sdks/featured/ to get version 1.9.26
Submitted bug report: https://code.google.com/p/google-cloud-sdk/issues/detail?id=340

Google app engine launcher: Invalid username or password

I've download google app engine (python) for windows and install it. Then I went to console.developers.google.com/project and create new project. After that, I launched google app engine launcher, create new application and named it as project I have recently create. I click on deploy and constantly getting this error:
03:35 PM Application: udacity-hello-pozdrav; version: 1
03:35 PM Host: appengine.google.com
03:35 PM
Starting update of app: udacity-hello-pozdrav, version: 1
03:35 PM Getting current resource limits.
Password for t******.****#gmail.com: Invalid username or password.
2014-09-06 15:35:56,690 ERROR appcfg.py:2411 An error occurred processing file '': HTTP Error 401: Unauthorized. Aborting.
Error 401: --- begin server output ---
Must authenticate first.
--- end server output ---
2014-09-06 15:35:56 (Process exited with code 1)
You can close this window now.
I've read about appcfg.py but when I enter it in cmd, It says that it's not recognized.
Would be much better if you will use appcfg.py with --oauth2 flag.
Like appcfg.py --oauth2 update /path/to/your/app.
For the first time you will see the browser window where you'll need to allow access to your account. Then you can deploy without entering any credentials and without confirmations. This will work even with 2-step authentication turned on.
The "Invalid username or password" error is due to Google security protection. To overcome this error message and be able to deploy from the Launcher, go to your Google Account Settings, then enable "Access for Less Secure Apps" under Security Check Up.

google app engine : how to logout of appcfg from cmd

How to logout from the appcfg in cmd?
I have two seperate GAE accounts, and each account have 1 project, now i ran a vacuum_indexes commond on a project with account 1 in cmd, it asked me for credentials for account 1 and i was done.
Now, i have to run the same vaccum_indexes command for another project in the account 2, now appcfg is not asking me the credentials & using the credentials for the account 1, which ends up with the error saying appid not found or Bad request
Does any one have any idea where cmd saves the credentials?
Is their a way to logout from a appcfg ?
I have no clue..
Any help would be appreciated!
Thanks
Dhiraj
Add --no_cookies to your request. For example:
--no_cookies vaccum_indexes myapp
Or you can specify your email account in a request:
--email=me#myemail.com vaccum_indexes myapp

Resources