I am using the deploy app engine action in an attempt to automate a go standard app engine deployment. I created a service account with the roles specified in the README from that action, and this includes Storage Admin. Still I do get an error while deploying:
(gcloud.app.deploy) Error Response: [7] failed to fetch metadata: generic::permission_denied: failed to fetch metadata from the registry for image "us.gcr.io/myprojectid/app-engine-tmp/app/default/ttl-18h:65ff63ae-0547-4731-b625-ca7612b30c97", with reason: generic::permission_denied: fetchImageMetadata from us.gcr.io failed for image us.gcr.io/myprojectid/app-engine-tmp/app/default/ttl-18h:65ff63ae-0547-4731-b625-ca7612b30c97, reason: generic::permission_denied: failed to fetch manifest: generic::permission_denied: failed to fetch manifest "myprojectid/app-engine-tmp/app/default/ttl-18h/manifests/65ff63ae-0547-4731-b625-ca7612b30c97", error: generic::permission_denied: got HTTP/403 response for URI https://us.gcr.io/v2/myprojectid/app-engine-tmp/app/default/ttl-18h/manifests/65ff63ae-0547-4731-b625-ca7612b30c97: (allowRedirect=false)
Looking at the page here it says that I need to add the Storage Admin role, which I already have. What else can I do to debug this further? Did the recent change to artifact registry require additional roles?
Posting as a community wiki based on @jum's comment:
Ok, the role Artifact Registry Repository Administrator was needed for my service account. On further tries I also needed Cloud Datastore Index Admin to upload indexes.yaml and Cloud Tasks Admin for cron.yaml. I also needed Service Usage Admin, but now it is working.