I have setup a compute engine instance for centralised maintenance and updating of App Engine Flex instances. One reason for this is to keep the database and other credentials inside the Google Project and not to store them on local development machines.
When I am trying to flex deploy with
gcloud app deploy
I get an error
ERROR: (gcloud.beta.app.deploy) Permissions error fetching application [<project here>]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Service account is default compute engine account and I have enabled Editor role for it in the IAM. I also tried enabling all App Engine roles but it did not change the situation.
Is there a way to make deployments from Compute Engine and if so what would be the correct credentials or am I missing some steps here?
I created a new Compute Engine Instance and tried issuing the same command as you are running. I also encountered the same issue. Here is how I've managed to resolve it.
1) Stop the instance
2) Navigate to IAM > Service Accounts > Create Service Account
3) Create a new service account and ensure you add roles for 'App Engine Admin'or 'App Engine Deployer' in addition to 'Storage Admin', 'Project Editor' and 'Cloud Container Builder Editor' to the service account. So in total you should have a minimum of 4 roles assigned to the service account, plus any other roles you think you may need for your application.
4) Edit the stopped instance (from step 1) and change the service account to the new service account you created.
When you restart the instance you should now have the correct permissions/roles to deploy your App Engine Flex App from the instance.
There was an authorisation issue because the Compute Engine default service account isn't assigned the roles required for deploying applications to App Engine flex, as various APIs are utilised in this process. By assigning the roles required for App Engine Flex deployments to a new service account, and then adding the service account to the instance, the instance then has the required authorisation to interact with other GCP APIs needed for App Engine Flex deployments.
Related
$ gcloud app deploy MY.yaml --image-url gcr.io/vorburger-learn-appengin/image:develop
causes the following error for me:
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Request to https://compute.googleapis.com/compute/v1/projects/projects/vorburger-learn-appengin/regions/europe-west1?key failed, details: Required 'compute.regions.get' permission for 'projects/vorburger-learn-appengin/regions/europe-west1'
I'm simply running gcloud locally after gcloud init for my #gmail.com account, who has the omnipotent IAM Owner role on that GCP project. So it's not clear to me just which IAM Principal is missing the compute.regions.get permission?
This is on a project where it used to work last year and stopped working 2 months ago. Maybe I deleted something by mistake? Things I've tried out so far:
gcloud services enable appengineflex.googleapis.com mentioned here
Verified #cloudservices.gserviceaccount.com Google APIs Service Agent exists and has the Editor role mentioned here
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Background: https://github.com/vorburger/www.fineract.dev/issues/15
I do NOT have any 123...-compute#developer.gserviceaccount.com account mentioned here on this project - should I?
Yes, you have to undelete the service account. However, the undelete command only works for Service Accounts deleted fewer than 30 days ago.
After 30 days, IAM permanently removes the service account. Google Cloud cannot recover the service account after it is permanently removed, even if you file a support request.
If you are not able to undelete the service account, you can create a new service account with the same name; revoke all of the roles from the deleted service account; and grant the same roles to the new service account. For details, see Policies with deleted principals.
Additionally, you did not mention the App Engine default service account if it was also accidentally deleted. If yes, you would also need to undelete this.
Warning: Deleting the App Engine default service account breaks any current and future App Engine applications in your Cloud project. For example, your application will lose access to other Google Cloud services such as Datastore. If needed, you can restore a deleted default service account.
I have a problem on a GCP Project
I Added IAP on the app. I allowed every user on the professional google domain.
I found that IAP was not a good solution. I finally removed IAP from the project. I un-toggled the functionality. And I removed the roles/members.
Now all the project crashes :
Cloud Build return that error when I Tried to deploy my services by triggers
"ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as 'ID#appspot.gserviceaccount.com'"
When I launch an http request to a service, the service doesn't create an instance.
I have that error "Waiting for network connection open. Subject:"app/invalid" Address:127.0.0.1:8080"
The account "ID#appspot.gserviceaccount.com" has an owner role.
I already checked the IAM roles it not seems to have one missing, I've checked with other projects, it seems good.
It's not the code of the app cause I tried in my laptop in local and the services works perfectly.
I've deployed my services with gcloud command, but the services are unreachable I have errors 500 cause my apps doesn't deploy.
I don't know which role I have to change in IAM to fix all the app.
This error means that Cloud Build service account can't act on behalf of App Engine service account. You can add this permission in Console-> Cloud Build-> settings enabling service account user role. There should have been some change recently that enabled this requirement for App Engine deployments.
I have an app running on google cloud platform. I have access to lists of people (in my organisation) through Cloud IAM. I only want my app engine app to be accessible to some of these lists with them having to log on with their Google Account before being allowed in to the site (is this how Cloud IAM permissions work or is this single service sign-on?).
What kind of rules or roles do I need to set just to allow groups or lists to see and use an application?
In cloud IAM i see these potential roles related to app engine.
The 'App Engine Viewer' role has this description: "Ability to view App Engine app status.". Is this what I want?
You need to use Cloud IAP to limit users authentication to your AppEngine application.
Roles you mentioned (as AppEngine Viewer...) permits you to limit administration rights on your app: to only publish a new version, or only browse informations about your app deployment.
You can start easily with IAP with this good and official tutorial.
I'm developing an admin page for my webpage. I'm using GAE and security-constraints. I would like to know which role-name are available and how I can define which Google Accounts could access a specific page.
When using Google App Engine, these are the pre-defined roles available:
roles/appengine.appAdmin: The App Engine Admin (read/write/modify access to all the configuration and settings of the app)
roles/appengine.serviceAdmin: The App Engine Service Admin (read-only access to app configuration and settings, write/modify access to module/version-level settings, can't deploy new versions)
roles/appengine.deployer: The App Engine Deployer (read-only access to app configuration and settings, write access to create new versions only, can't modify versions except for deleting those without traffic)
roles/appengine.appViewer: The App Engine Viewer (read-only access to app configuration and settings)
roles/appengine.codeViewer: The App Engine Code Viewer (read-only access to app configuration, settings and deployed source code)
These roles are explained in more detail here.
In order to establish the permissions for accounts to access the application, Google Cloud relies on IAM (Identity and Access Management), where you can create service accounts for accessing the app (as well as define roles for project members, including service accounts and Google accounts).
There are various ways to define permissions for access control, but I would recommend using the Cloud Console for it. Inside the console, go to the IAM page and select the project you want to define access control rules. These are the operations that you can do inside the IAM page:
Add team members (Google or service accounts.
Grant them one or more roles.
Change team member's access.
Revoke access to team members.
You can check this link for further info about how to manage roles and permssions using IAM.
I'm unable to map a custom domain to my Google App Engine app. The steps I've already taken are:
I'm the admin of the Google Apps account
I'm the owner of the Google App Engine Account
I've added the domain to the "Domains" section of Google Apps
I've verified ownership of the domain within Google Apps
I've correctly setup the MX records of the domain
I've checked that the domain was correctly setup using: https://toolbox.googleapps.com/apps/checkmx/
However, for the last 3 days in the Domains section of Google Apps it says "MX records setup validation in progress".
Additionally, when I go to add the domain within the Application settings of the Google App Engine account I get redirected to a sign in page (despite already being signed in, and an admin within Google Apps, and the owner of the Google App Engine app). Either way when I go to sign in again I just get redirected back to the signin page and I'm not able to get any farther.
Also, I have billing enabled for the App Engine account. I've configured app engine domains numerous times before and never had these issues. Any help would be appreciated.
Update:
Following #presveva's suggestion I setup a new Google Apps account (despite already having an existing one) and the first page after creating a new Google App was a server error. After refreshing the page and verifying ownership of the domain I went to add the domain to App Engine.
On the "Please accept the Google App Engine terms and conditions to continue" page, first of all no terms even showed (numerous XMLHttpRequest errors on the page), and after submitting "I accept. Continue to add this service" the next page stated "An error occurred while trying to install this application. Please try again later."
This process is horribly broke and would be great if Google addressed this.
I know this this post is old but I ran into the same issue.
All ready running Google Apps for my primary domain.
Created a new app and registered a new domain name for that.
Don't want to get a new payed Google Apps account for the app domain.
#presveva is right but there is one way around it.
Use your current Google Apps account and add the app domain as a alias for your primary domain.
Make the admin account of your Google Apps domain owner of the Google App Engine (GAE) application.
Add the GAE app to your Google Apps account via the Google Apps admin interface.
Setup a custom domain name for the domain alias, your new app domain.
Note: If you use Google Sites for your domain you can't use www. Disable sites if you want to use GAE.
For now, the only one way for using custom domain in GAE is signup a Google Apps account (domains article).
Notice that the domain need to be the primary domain of account, a new account for domain.
The docs I have linked mentions a free single-user account but it has been replaced by a 50$ credit for a business Google Apps account (forum annunce)