I tried to deploy my app to google app engine. My IAM role is "owner" so I think I should have full access to any gcloud API.
Following is the error:
ERROR: (gcloud.app.deploy) Error Response: [13] Unable to get quota for "snap-media", "us-central1". Error: <HttpError 403 when requesting https://www.googleapis.com/compute/v1/projects/snap-media/regions/us-central1?alt=json returned "Required 'compute.regions.get' permission for 'projects/snap-media/regions/us-central1'">
Not the Google APIs service account.. All GAE has their own default service account. you need to give that permission. Search the following service account in your IAM page.. And you need to give this service account the permission.
App Engine default service account
yourprojectName#appspot.gserviceaccount.com
Related
Hi When I try to deploy profile, I am getting this error
[Profile Analytics Cloud Integration User] Unknown user permission: ViewForecastingPredictive
Can some one help me understand what this error is, and how to resolve it
I have GO application and tried to deploy it to the google app engine with google command line sdk from a local machine with a custom service account.
I create a custom service account with roles:
App Engine Admin
Cloud Build Service Account
Cloud Build Service
Agent Serverless VPC Access User
And authorized locally with this account:
gcloud auth activate-service-account account_name#project-name.iam.gserviceaccount.com --key-file=key.json
Also, I configure the service account in my app.yaml:
service_account: account_name#project-name.iam.gserviceaccount.com
But when i try to deploy
gcloud app deploy -v 1
I get the error:
Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Operation is not allowed. The "vpcaccess.connectors.use" permission is required.
I can not understand why vpcaccess.connectors.use permission still required even I have Serverless VPC Access User role? I found the role on this google docs page
Maybe someone has met with a similar difficulty? Please help me)
UPD even i give Owner role i steel have the error
One way to fix this error is by removing vpc_access_connector: configuration from app.yaml
If you need vpc_access_connector configured, add
Serverless VPC Access User and Compute Viewer IAM roles to the service account doing the deployment.
Also, the vpc_access_connector in app.yaml must refer to one that exists in the same project or you will still get this error.
vpc_access_connector:
name: projects/my-project-id/locations/the-zone/connectors/my-connector-name
Ok i fix this error by removing vpc_access_connector: configuration from app.yaml
UPD
But if you need to configure vpc_access_connector you need to add
Serverless VPC Access User and Compute Viewer IAM roles and all must work fine.
I have a Python Streamlit app hosted in GCP via App Engine. Following this tutorial, I added an Idenity-Aware Proxy to secure the app.
The IAP is activated and the OAuth consent screen it set to internal.
In the IAP settings, I added myself and a fellow both with the "IAP-secured Web App User"-role.
While I can access the app after login with my associated google account, he gets and "Error 403: org_internal" error when login within his associated google account.
What I already tried:
Setting the OAuth consent screen to external (test mode) and added both of us
Adding him to our GCP organization
None of both approached worked. He just can't access the app after all.
Any ideas what I am doing wrong?
I'm using google cloud app engine. I'm trying to programatically create new version of a service in google app engine. I tried creating IAM Service account at https://console.cloud.google.com/iam-admin/serviceaccounts with all the permissions for Google App Engine.
Result:
403 Forbidden
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I couldn't make it work both on googleapis SDK and the online version.
https://developers.google.com/apis-explorer/#p/appengine/v1/appengine.apps.services.versions.create?appsId=default&servicesId=test-11111&_h=14&resource=%257B%250A++%2522id%2522%253A+%252220191003t225144%2522%250A%257D&
tl;dr
What permissions are needed for appengine.apps.services.versions.create endpoint
It looks like you've assigned the correct roles, because all of these roles contain the appengine.versions.create permission:
Owner (roles/owner)
Editor (roles/editor)
App Engine Admin (roles/appengine.appAdmin)
App Engine Deployer (roles/appengine.deployer)
If you've already assigned those Roles to your service account, check your credentials that you're using to make the API call, and make sure you're authenticating with the right service account.
See also:
IAM Permissions Reference
Granting Roles to Service Accounts
Appengine uses the Appengine default service account, just configure your app that way and customize permissions accordingly.
I needed to have all of these 3 scopes to make it work
'https://www.googleapis.com/auth/appengine.admin',
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/cloud-platform.read-only',
In the AppEngine console I have enabled datastore administration. I also enabled the remote API. However, when I try to access it I see the following message:
Error: Forbidden
Your client does not have permission to get URL
Many people seem to have a 400 (Not found) or 500 (Error), but none of the fixes for these issues seem to fix this permission problem
The permissions issue was caused by having login for my webapp restricted to one domain, while I was accessing the AppEngine administration from another domain.
As an example, AppEngine administration was being performed from support#my_developer_domain.com, whereas all the logins for the app itself were in the form xyz#client_company_domain.com.
The solution was to get the client to assign me an email address at their own domain (andy#client_company_domain.com) then invite that account to be a developer for the web app. After accepting the invitation and logging in with this account, the datastore admin page was visible.