I searched the web for a while, but can't seem to find the right answer.
I have created a VM Instance on Google Compute Engine and I am running Jenkins on it. This instance checks a code repository I have and when a change occurs, I want to run the following command
gcloud --project=test preview app deploy -q app.yaml --version=dev
When I want to trigger a build, or it triggers it by himself, I get the following error:
Beginning deployment...
ERROR: Error Response: [403] Request had insufficient authentication scopes.
ERROR: (gcloud.preview.app.deploy) Could not retrieve the default Google Cloud Storage bucket for [test].
Please try again or use the [bucket] argument.
The VM instance does have acces to the storage as you can see in the following image, so I don't understand why this error pops up.
Go to the App Engine developer console https://appengine.google.com/ and in
Application Settings > Cloud integration > and turn ON the Google Cloud Storage
so this will set up the default bucket for you. This something that the new Google Developer Console will do automatically.If the project is created on the old console you have to do it manually.
Related
I'm trying to set up ServerSide Google Tag Manager, which is a service that runs on GCP App Engine.
The setup is done with a few Cloud Shell commands, which are describede here:
https://developers.google.com/tag-platform/tag-manager/server-side/script-user-guide#create_a_tagging_server_or_reconfigure_an_existing_tagging_server
However, when I did it originally (even as GCP project owner), I got this error:
I was advised that, to solve this, I needed to manually create a VPC Network called default. So I did exactly, that, with the default network settings.
When I ran the App Engine setup commands again, I got further, but ran into a new error:
ERROR: (gcloud.app.deploy) Error Response: [3] Flex operation projects/projectid/regions/europe-west1/operations/f7d7489b-f4ef-4b8b-ac26-b9b945d3ebfc error [INVALID_ARGUMENT]: An internal error occurred while processing task /app-engine-flex/insert_flex_deployment/flex_create_resources>2022-05-12T09:17:00.642Z6448.wa.0: 'subnetwork_name' must be specified for custom mode network 'default'.
I tried the setup commands with and without a defined subnetwork in the new VPC network I created. The same error persisted regardless.
I have not been able to find any solution to this online so far, so hoping that someone here will be able to assist.
Thanks in advance!
Simon
As you created your network as "custom", you need to create by yourself at least one subnet in the same region where your app was created. After that, you must configure the subnet in the app.yaml file:
network:
name: projects/PROJECT_ID/global/networks/NETWORK_NAME
subnetwork_name: SUBNETWORK_NAME
The answer to this was that the default service in the app engine (Services in the left-hand menu in the app engine console) failed to automatically create the VPC- and subnetworks.
By manually recreating the defaultapp engine service, the correct VPC networks and subnetworks were created, and the problem was solved.
I have this app that's been running on Google App Engine for a good couple of years. Today I needed to modify its app.yaml file, but when I ran "gcloud app deploy" I got this error:
Updating service [default]...failed.
ERROR: (gcloud.app.deploy) Error Response: [7] Failed to create cloud build: service account "redacted#cloudbuild.gserviceaccount.com" has insufficient permission to execute the build on project "redacted"
It appears that the default service account no longer has the necessary permissions. In fact, it may have been deleted completely, because I don't see it listed under gcloud projects get-iam-policy xxxx. What I see instead is this:
serviceAccount:service-redacted#gcp-sa-cloudbuild.iam.gserviceaccount.com
with a correct-looking role cloudbuild.serviceAgent.
I tried googling any changes related to GAE service accounts but didn't find any useful references. I followed the solution to this question, but it didn't help.
The question is, how do I change the permissions of the service account mentioned in the original error message, or, how do I tell GAE to use another (correct) service account when deploying my app?
According to [this][1] documentation
...To deploy new versions, a member must have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.....
Using the IAM page you can add the email address of the person deploying (the one you have authenticated via gcloud) and add the above roles to that email
[1]: https://cloud.google.com/iam/docs/understanding-roles?hl=en#app-engine-roles
I am trying to use Jenkins for CI/CD.
I've developed a Python flask application. I am deploying this application into Google App Engine. So far I am using gcloud app deploy app.yaml command to deploy application to Google App Engine.
Code for this application is present in Google Cloud Source Repository.
Since the authentication to git(Google Cloud Source Repository) requires Google OAuth, I've installed Google OAuth Credentials Plugin
Now I am facing two issues
When I use "Google Service Account from metadata" Credential Kind, I am not seeing the credentials listed in "Source Code Management".
when I use "Google Service Account from private key", I am able to see credentials. But when I run my jenkins job I am getting below error
FATAL: Could not call
com.google.jenkins.plugins.source.GoogleRobotUsernamePassword.writeObject()
: Failed to serialize
com.google.jenkins.plugins.source.GoogleRobotUsernamePasswordModule$ForRemote#credentials
for class
com.google.jenkins.plugins.source.GoogleRobotUsernamePasswordModule$ForRemote
---- Debugging information ---- message : Could not call com.google.jenkins.plugins.source.GoogleRobotUsernamePassword.writeObject()
cause-exception : java.lang.RuntimeException cause-message :
Failed to serialize
com.google.jenkins.plugins.source.GoogleRobotUsernamePasswordModule$ForRemote#credentials
for class
com.google.jenkins.plugins.source.GoogleRobotUsernamePasswordModule$ForRemote
------------------------------- java.lang.UnsupportedOperationException: Refusing to marshal
org.joda.time.DateTime for security reasons; see
https://jenkins.io/redirect/class-filter/ at
hudson.util.XStream2$BlacklistedTypesConverter.marshal(XStream2.java:543)
at
com.thoughtworks.xstream.core.AbstractReferenceMarshaller.convert(AbstractReferenceMarshaller.java:69)
at
com.thoughtworks.xstream.core.TreeMarshaller.convertAnother(TreeMarshaller.java:58)
at
com.thoughtworks.xstream.core.AbstractReferenceMarshaller$1.convertAnother(AbstractReferenceMarshaller.java:84)
Question: How can I authenticate Google Cloud Source repository in Jenkins? What are the steps|plugins required to use Google Cloud Source repository in Jenkins?
Solution
You probably need to add a missing scope to the Compute Engine VM Instance running Jenkins that would give it access to Cloud Source Repository. You can follow the documentation or this steps, which ever you find convenient.
Go to Cloud Deployment Manager
Click on the name of the Jenkins deployment in question
Click on the instance name in the left info pane and it will redirect you to VM instance details
Stop the instance
Press Edit and set the right access scope for Cloud Source Repository
After your start the VM instance, try adding your git repository again and once you select the credentials, either "Google Service Account from metadata" or from service account, everything should work properly.
Elaboration
I stumbled upon the "Invalid authentication credentials." issue while trying to add a Cloud Source Repository after deploying Jenkins from Launcher.
In my case the reason why it happened was that during the process of deployment the Cloud API access scope for Cloud Source Repositories on the Compute Engine VM instance was set to Disabled, which prevented any interaction from that instance even if a service account had all the necessary roles/permissions.
Here are the scopes that are reconfigured by Launcher:
scopes:
- 'https://www.googleapis.com/auth/cloud.useraccounts.readonly'
- 'https://www.googleapis.com/auth/devstorage.read_only'
- 'https://www.googleapis.com/auth/logging.write'
- 'https://www.googleapis.com/auth/monitoring.write'
{% if enableComputeApi %}
- 'https://www.googleapis.com/auth/compute'
{% endif %}
- 'https://www.googleapis.com/auth/cloudruntimeconfig'
Adding the following scope to the VM instance running Jenkins was enough to fix the error:
https://www.googleapis.com/auth/source.read_only
Extra:
List of scopes for Google APIs.
I updated the plugin to 0.6 version.
In 0.6 version, I have the same problem in Jenkins "Free-style" project.
Bit I can success to checkout in Jenkins "pipeline" project.
I just copy the "checkout syntax" in others project and replace 2 parts of the syntax to the right:
credentialsid -> replace to your right credentials id that you created Google Service Account from private key in jenkins.
url ->replace to your google source repository url
I'm trying to get the Google Cloud Debugger to work on my Python App Engine module. I've followed the instructions and:
Connected to my Bitbucket hosted repository.
Generated the source-context.json and source-contexts.json using gcloud preview app gen-repo-info-file
Uploaded using appcfg.py update
However when I try to set a snapshot using the console, there is message saying:
The selected debug target does not have source revision information. The source shown here may not match the deployed source.
And when I try to set the snapshot point, I get the error:
Failed to update the snapshot
It looks like you did everything correctly.
The "Failed to update the snapshot" error shows up when there is some problem on the Cloud Debugger backend. Please contact the Cloud Debugger team through cdbg-feedback#google.com or submit feedback report in Google Developer Console.
When I try to deploy my Google App Engine application to the cloud, I get
Error 404: --- begin server output ---
This application does not exist (app_id=u'blindmaaaps').
--- end server output ---
Under https://appengine.google.com, it says
Welcome to Google App Engine
...
Create application
But under https://console.developers.google.com, it shows my project as existing.
I have already tried passing the options --no_cookies and --email=my#email.com to the appcfg.py script, with no success. I have only one Google account.
What should I do to deploy?
It can happen if you have more than one Google account. Make sure that you are logged in under the correct account when you deploy.
Eclipse shows the account in the right bottom corner. Other tools may have an option that forces them to ask for your account credentials when you deploy.