Search code examples
google-app-enginegoogle-cloud-buildgoogle-iam

appengine / unable to deploy / iam troubleshooting

The given service account is {project_id}@appspot.gserviceaccount.com

It has the following iam roles :

  • Editor
  • Cloud Build Editor (manually added, to verify if it was the reason behind this issue)

I have :

  • downloaded the corresponding service account key on my laptop to {local_path}/.gcloud.json
  • activated this service account via gcloud auth activate-service-account {project_id}@appspot.gserviceaccount.com --key-file={local_path}/.gcloud.json
  • set the $GOOGLE_APPLICATION_CREDENTIALS env var to be {local_path}/.gcloud.json

Deploying with the following :

gcloud app deploy --project {project_id} \
  --quiet \
  --verbosity=debug \
  --account {project_id}@appspot.gserviceaccount.com \
  ./dispatch.yaml \
  ./app/app.yaml

I keep hitting the following error :

"Permission to create cloud build is denied. 'Cloud Build Editor' role is required for the deployment: ht..."

Checking Google cloud build on the gcloud ui, the build is created, but fails everytime (so it matches the given error returned from the command line)

I just have no clue why it happens; any help would be highly appreciated

Regards

Solution

  • When enabling the Cloud Run Api, 3 services acounts are created:

    1. compute@developer.gserviceaccount.com,Default compute service account, Role: Editor

    2. service-@containerregistry.iam.gserviceaccount.com, Google Container Registry Service Agent, Role: Editor

    3. service-@serverless-robot-prod.iam.gserviceaccount.com, Google Cloud Run Service Agent, Role: Cloud Run Service Agent

    The last two services account are Google-managed service account used to access the APIs of Google Cloud Platform services link

    By default, Cloud Run revisions are using the Compute Engine default service account (PROJECT_NUMBER-compute@developer.gserviceaccount.com), which has the Project > Editor IAM role. This means that by default, your Cloud Run revisions have read and write access to all resources in your GCP project.

    When enabling Google App Engine Flexible Environment API, 2 services accounts related to Cloud Run are created:

    1. @cloudbuild.gserviceaccount.com, Role: Cloud Build Service Account

    2. service-@gcp-sa-cloudbuild.iam.gserviceaccount.com, Cloud Build Service Account, Role: Cloud Build Service Agent

    When enabling App Engine Admin API, no extra services accounts are being created.

    The command : gcloud beta app repair

    This command will restore the App Engine staging bucket if it has been deleted. It will no longer restore the service account, instead, the IAM service account undelete API must be used for the purpose.

    After deploying a google app engine, at least 4 buckets are created in the google cloud storage:

    a. [project-id].appspot.com

    b. staging.[project-id].appspot.com

    c. artifacts.[project-id].appspot.com

    d. vm-containers.[project-id].appspot.com

    So I think you deleted the staging bucket or a service account by accident.