Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authorization failure when updating App Engine cron with service account

I have been attempting to write an App Engine Python app and manage it via a service account (because I'm doing development from a machine which I do not trust with my Google Account credentials).

I have successfully gotten the app to deploy new code versions (tip: you not only need to give the service account App Engine "Deployer" and "Service Admin" permissions in the IAM console, possibly also "Admin"--I ended up giving all three), but you also need to make sure it has write privileges on the GCS buckets used for staging and deployment, named myapp.appspot.com and staging.myapp.appspot.com*), but I cannot deploy a new cron.yaml. When I try:

$ gcloud app deploy cron.yaml 
You are about to update the following configurations:
 - myapp/cron  (from [.../myapp/cron.yaml])
Do you want to continue (Y/n)?  

Updating config [cron]...failed.                                                                                    
ERROR: (gcloud.app.deploy) Server responded with code [403]:
  Forbidden Unexpected HTTP status 403.
  You do not have permission to modify this app (app_id=u'p~myapp').

If I run gcloud app deploy with --verbosity=debug, I can see that it's making a request to https://appengine.google.com/api/cron/update?app_id=myapp and getting back the 403.

I've tried giving the service account project editor or owner permissions, this hasn't worked. (Although if that were necessary, I'd consider it a bug.)

*: All instances of my project ID have been replaced with myapp in this question.

like image 400
Tim Dierks Avatar asked Jan 28 '17 19:01

Tim Dierks


Video Answer


1 Answers

The specific role you want to add to your service account in order to deploy a new cron.yaml file is Cloud Scheduler Admin:

https://cloud.google.com/appengine/docs/standard/python/granting-project-access#deploying_using_iam_roles

like image 81
David Avatar answered Sep 27 '22 23:09

David