Permission denied while deploying an app to App Engine from GitLab CI

Question

I'm having problems using GitLab CI to automate deployments of a Python 3 app to App Engine standard.

The following error is raised:

DEBUG: (gcloud.app.deploy) Error Response: [7] Failed to create cloud build: Permission denied
 Traceback (most recent call last):
   File "/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 984, in Execute
     resources = calliope_command.Run(cli=self, args=args)
   File "/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 807, in Run
     resources = command_instance.Run(args)
   File "/google-cloud-sdk/lib/surface/app/deploy.py", line 110, in Run
     default_strategy=flex_image_build_option_default))
   File "/google-cloud-sdk/lib/googlecloudsdk/command_lib/app/deploy_util.py", line 642, in RunDeploy
     ignore_file=args.ignore_file)
   File "/google-cloud-sdk/lib/googlecloudsdk/command_lib/app/deploy_util.py", line 432, in Deploy
     extra_config_settings)
   File "/google-cloud-sdk/lib/googlecloudsdk/api_lib/app/appengine_api_client.py", line 208, in DeployService
     poller=done_poller)
   File "/google-cloud-sdk/lib/googlecloudsdk/api_lib/app/operations_util.py", line 314, in WaitForOperation
     sleep_ms=retry_interval)
   File "/google-cloud-sdk/lib/googlecloudsdk/api_lib/util/waiter.py", line 264, in WaitFor
     sleep_ms, _StatusUpdate)
   File "/google-cloud-sdk/lib/googlecloudsdk/api_lib/util/waiter.py", line 326, in PollUntilDone
     sleep_ms=sleep_ms)
   File "/google-cloud-sdk/lib/googlecloudsdk/core/util/retry.py", line 229, in RetryOnResult
     if not should_retry(result, state):
   File "/google-cloud-sdk/lib/googlecloudsdk/api_lib/util/waiter.py", line 320, in _IsNotDone
     return not poller.IsDone(operation)
   File "/google-cloud-sdk/lib/googlecloudsdk/api_lib/app/operations_util.py", line 183, in IsDone
     encoding.MessageToPyValue(operation.error)))
 OperationError: Error Response: [7] Failed to create cloud build: Permission denied
 ERROR: (gcloud.app.deploy) Error Response: [7] Failed to create cloud build: Permission denied

.gitlab-ci.yml

image: google/cloud-sdk:alpine

stages:
  - Deploy

deploy:
  stage: Deploy
  only:
  - tags
  script:
  - echo $SERVICE_ACCOUNT > /tmp/$CI_PIPELINE_ID.json
  - gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
  - gcloud app deploy app.yaml --project $PROJECT_ID --verbosity=debug

after_script:
- rm /tmp/$CI_PIPELINE_ID.json

app.yaml

service: api
runtime: python37

I enabled App Engine Admin API and created a service account for GitLab CI with the following roles:

• App Engine Deployer
• App Engine Service Admin
• Storage Object Creator
• Storage Object Viewer

The GitLab CI variables $PROJECT_ID and $SERVICE_ACCOUNT have been respectively filled by the GCP project id and a key of the service account.

Answer 1

Fixed it myself:

I needed to enable Cloud Build API and to give the Cloud Build Service Account role to my service account.

Edit 09/2021:

The required roles are now :

• App Engine Deployer
• App Engine Service Admin
• Cloud Build Service Account
• Service Account User