Error while running pipeline from bitbucket to GCP

Question

I am trying to run pipeline from bitbucket to GCP. This is my pipeline configuration:

image: node:10.15.3

pipelines:
  default:
    - parallel:
        - step:
            name: Build and Test
            caches:
              - node
            script:
              - npm install
        - step:
            name: Deploy
            deployment: staging
            script:
            - curl -o /tmp/google-cloud-sdk.tar.gz https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-347.0.0-linux-x86_64.tar.gz
            - tar -xvf /tmp/google-cloud-sdk.tar.gz -C /tmp/
            - /tmp/google-cloud-sdk/install.sh -q
            - source /tmp/google-cloud-sdk/path.bash.inc
            - gcloud -v
            - echo "${KEY_FILE}" | base64 --decode --ignore-garbage > ./gcloud-api-key.json
            - gcloud auth activate-service-account --key-file gcloud-api-key.json
            - echo "$(gcloud auth list)"
            - gcloud config unset project
            - gcloud config set project $PROJECT_ID
            - echo "GCLOUD" "$(gcloud iam service-accounts list)"
            - echo "$(gcloud projects list)"
            #- gcloud auth login
            - gcloud app deploy  # getting error here

On GCP dashboard I selected my project from top dropdown and created service account. My service account holds these permissions:

I have downloaded the service account json and added an enironment variable KEY_FILE to bitbucket after encoding it with base64 (executed base64 <service-account>.json and pasted the output to the variable). PROJECT_ID variable contains the project-id from GCP.

Adding output for the pipeline commands:

gcloud auth activate-service-account --key-file gcloud-api-key.json

Activated service account credentials for: [service-account-name@project-id.iam.gserviceaccount.com]

echo "$(gcloud auth list)"

To set the active account, run: $ gcloud config set account ACCOUNT

ACTIVE ACCOUNT

•    service-account-name@project-id.iam.gserviceaccount.com
  

gcloud config unset project

Unset property [core/project].

gcloud config set project $PROJECT_ID

Updated property [core/project]. WARNING: You do not appear to have access to project [PROJECT_ID] or it does not exist.

echo "$(gcloud projects list)"

Listed 0 items.

gcloud app deploy

ERROR: (gcloud.app.deploy) Permissions error fetching application

After hours of research, I am not able to resolve the issue. Any input will be helpful.

Answer 1

You should be able to run the script from any machine and this will help in debugging; run it locally (perhaps within a 'clean' container) to uncover errors.

The output you include references service-account-name@project-id.iam.gserviceaccount.com, iam.gserviceaccount.com suggests a user-created service account.

However, the account that you reference in the screenshot is the App Engine default service account appspot.gserviceaccount.com.

It's possible that you've created a service account and a key for it but not assigned it any permissions. This would explain the errors.

Service Accounts are owned by specific projects, you can list the Service Accounts in a specific project using:

PROJECT=[[YOUR-PROJECT-ID]]

gcloud iam service-accounts list \
--project=${PROJECT}

You can list the permissions for a project using:

gcloud projects get-iam-policy ${PROJECT}

NOTE Service Accounts must be role'd on every project or project resources on which the account needs permissions.

NOTE To list projects, an account requires the IAM permission resourcemanager.projects.list. This must be enabled on an organization or folder link