The gcloud SDK is a convenient way to authenticate to AppEngine services. I would like to use these credentials to authenticate to an AppEngine app that is configured in app.yaml with login: admin. This will let me use curl to access my admin endpoints. I can get a bearer token from the gcloud SDK with gcloud auth print-access-token. Unfortunately the app appears to be looking for a cookie that looks like ACSID=....
Is there a way to use the bearer token I have from the gcloud SDK to authenticate to my AppEngine app by getting an ACSID cookie or otherwise?
Related
I want to deploy an API to app engine But it ends up using the wrong service account.
I use these 3 cmd lines in gitlab:
- gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
- gcloud config set account NameOfServiceAccount.com
- gcloud app deploy
What I get is
target service account: [App Engine default service account]
Do you want to continue (Y/n)?
Beginning deployment of service [lettering-back]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 2 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as
To deploy new versions, a member must have the Service Account User
(roles/iam.serviceAccountUser) role on the App Engine default service
account, and the Cloud Build Editor (roles/cloudbuild.builds.editor)
and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on
the project.
More specifically for your error message you gonna need roles/iam.serviceAccountUser on your service account whose key is the one you placed at /tmp/$CI_PIPELINE_ID.json
Reference : the first table row at https://cloud.google.com/appengine/docs/standard/python/roles#predefined_roles
I have set up a Node.js server in Google Cloud Platform App Engine, and have also configured a custom domain, which is correctly configured and has a SSL cert.
However, I can't figure out how to actually serve through the domain.
In the GCP terminal, run this command:
gcloud app deploy
Since the server is already set up and working and the domain is already configured, that command is all that's needed to deploy.
I am running Jenkins locally on Windows 10 and am having a tough time getting it to deploy to Google App Engine (Standard) with a service account. Here is what I've done so far:
Created a new service account called jenkins#PROJECT-ID.iam.gserviceaccount.com
Given that service account these permissions:
App Engine Deployer
App Engine Service Admin
Cloud Build Service Account
Cloud Build Service Agent (not sure if necessary)
Storage Admin
Downloaded the service account json key, placed it in my Documents folder
Then I used the following commands after my project builds using Node.js:
gcloud auth activate-service-account --key-file %USERPROFILE%\Documents\PROJECT\jenkins-local-sa.json
gcloud config set project PROJECT-ID
gcloud app deploy app.yaml
Then I'm hit with this error:
(gcloud.app.deploy) Error Response: [13] Failed to create cloud build: cloudbuild service account doesn't have access to projectID "PROJECT-ID".
I've seen plenty of other errors in my Google search but not this one specifically. Has anyone run across this error?
You need to enable service account user permission in cloud build settings !
I want to deploy my app via google service account. I am using the test-version of googlecloud with billing enabled. I granted the following permissions to my service account:
App Engine Administrator
App Engine Deployer
App Engine Service Administrator
Cloud Build Service Account
Cloud Build Editor
Storage Administrator
When I try to login via keyfile with gcloud auth activate-service-account --key-file file.json and then trying to deploy the app with the service account with the following command: gcloud --quiet --project projecid app deploy app.yaml I get the following error:
(gcloud.app.deploy) Permissions error fetching application [apps/projectid]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Also I might have to say, that I am using a account ID which was used before.
Do you guys have an idea what I could do? It works, when I deploy it with my normal google account and a normal login. But I need that because of gitlab-ci
I have tried to reproduce your situation by creating a new service account and giving it the roles you listed. I have authorized access to GCP with its key using the gcloud auth activate-service-account --key-file=<KEY-FILE> command but the deployment has been successful for me.
Run the gcloud auth list command to make sure you're authorized with the correct service account. Also you can try adding the --verbosity=debug flag to the deployment command to see if you can find anything useful in the error logs if the error occurs.
From the error description, however, it seems that you might also have passed an incorrect project ID when deploying the application:
gcloud --quiet --project projecid app deploy app.yaml
- make sure it is not the case.
Im running Google AppEngine. I have oauth2 installed. Im successfully able to import oauth2 in program but when I run my python application using GoogleAppEngine Launcher on localhost, then I get the following error
ImportError: No module named oauth2
Im using Python2.7 which is not the default version of GoogleAppEngine, but I have changed the python path both in my project and in GoogleAppEngine Launcher.
Have you looked at this example? It shows OAuth2 being used in a Google App Engine Python project. This might give you a better sense of how to use OAuth2 and GAE.
Are you trying to authenticate inbound HTTP requests on App Engine using OAuth2?
I just posted a full end to end example here:
google app engine oauth2 provider