Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What permission is required for a service account to deploy to Google App Engine using gcloud?

I have created a service account in order to deploy a project to google app engine.

The service account I have created has these two roles:

  1. App Engine -> App Engine Deployer
  2. Storage -> Storage Object Admin

I downloaded the json key file, and then run these commands:

gcloud auth activate-service-account --key-file key.json
gcloud -q app deploy app_deploy.yaml --version 1.0 --promote

I got this error message:

ERROR: (gcloud.app.deploy) Error Response: [403] Operation not allowed

Details: [
  [
    {
      "@type": "type.googleapis.com/google.rpc.ResourceInfo",
      "description": "The \"appengine.applications.get\" permission is required.",
      "resourceType": "gae.api"
    }
  ]
]

What role did I miss to add?

like image 709
Anthony Kong Avatar asked May 11 '17 02:05

Anthony Kong


People also ask

How do you check what permissions a service account has?

To see if a service account has access to a resource, call the getIamPolicy method on the target resource. For example, to view grants for a project, call the projects. getIamPolicy method." But to get organization level permissions, the service account do not have permission to do the API call.

What service account does App Engine use?

After you create an App Engine application, the App Engine default service account is created and used as the identity of your App Engine app. The App Engine default service account is associated with your Cloud project and executes tasks on behalf of your apps running in App Engine.


1 Answers

As of January 2020, the documentation for App Engine Roles states:

Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles.

However, this is not completely true:

  1. The cloudbuild.builds.editor is not sufficient (I suspect an error in the doc here). Indeed, the CLI apparently needs the storage.objects.list permission which is provided by cloudbuild.builds.builder.
  2. After deployment, you'll get an error because you don't have permission to change traffic splits. Thus, you need roles/appengine.serviceAdmin.

So, here is the roles list that worked for me:

  • roles/appengine.deployer
  • roles/appengine.serviceAdmin
  • roles/compute.storageAdmin
  • roles/cloudbuild.builds.builder
like image 50
frankie567 Avatar answered Oct 14 '22 16:10

frankie567