I have been attempting to write an App Engine Python app and manage it via a service account (because I'm doing development from a machine which I do not trust with my Google Account credentials).
I have successfully gotten the app to deploy new code versions (tip: you not only need to give the service account App Engine "Deployer" and "Service Admin" permissions in the IAM console, possibly also "Admin"--I ended up giving all three), but you also need to make sure it has write privileges on the GCS buckets used for staging and deployment, named myapp.appspot.com
and staging.myapp.appspot.com
*), but I cannot deploy a new cron.yaml
. When I try:
$ gcloud app deploy cron.yaml
You are about to update the following configurations:
- myapp/cron (from [.../myapp/cron.yaml])
Do you want to continue (Y/n)?
Updating config [cron]...failed.
ERROR: (gcloud.app.deploy) Server responded with code [403]:
Forbidden Unexpected HTTP status 403.
You do not have permission to modify this app (app_id=u'p~myapp').
If I run gcloud app deploy
with --verbosity=debug
, I can see that it's making a request to https://appengine.google.com/api/cron/update?app_id=myapp
and getting back the 403.
I've tried giving the service account project editor or owner permissions, this hasn't worked. (Although if that were necessary, I'd consider it a bug.)
*: All instances of my project ID have been replaced with myapp
in this question.
The specific role you want to add to your service account in order to deploy a new cron.yaml
file is Cloud Scheduler Admin:
https://cloud.google.com/appengine/docs/standard/python/granting-project-access#deploying_using_iam_roles
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With