39

After creating google service account with permission as shown below - deployment fails with message . I am failing to understand where this is going wrong.

====

$ gcloud iam service-accounts get-iam-policy cdemail@appid.iam.gserviceaccount.com
bindings:
- members:
  - serviceAccount:cdemail@appid.iam.gserviceaccount.com
  role: roles/owner
etag: Bxxxxxxxxg=

====

$ gcloud auth activate-service-account --key-file ../a.json 
Activated service account credentials for: [cdemail@appid.iam.gserviceaccount.com]

$ gcloud app deploy
ERROR: (gcloud.app.deploy) You do not have permission to access app [appid].
npr
  • 4,325
  • 4
  • 20
  • 30

5 Answers5

40

For those who are trying to deploy using a service account and the gcloud commands, you will need to set all of the following roles:

  • App Engine Deployer (deploy new code)
  • Storage Object Viewer (list images)
  • Storage Object Creator (upload the image)
  • Cloud Build Editor (create build)
  • App Engine Service Admin (promoting the new version)

From the access control docs:

The App Engine Deployer role alone grants adequate permission to deploy using the Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Storage Admin role and Cloud Build Editor role.

m.spyratos
  • 3,823
  • 2
  • 31
  • 40
  • This was the key for me. Trying to run `gcloud` through Semaphore-CI wasn't working, with errors around the service account not having access. Adding the permissions to the service account in GCP IAM fixed it. – Artif3x Jan 30 '20 at 20:02
  • 1
    Gets me further but I'm now stuck at `ERROR: (gcloud.app.deploy) Your deployment has succeeded, but promoting the new version to default failed. You may not have permissions to change traffic splits. Changing traffic splits requires the Owner, Editor, App Engine Admin, or App Engine Service Admin role. Please contact your project owner and use the gcloud app services set-traffic --splits =1 command to redirect traffic to your newly deployed version.` Changing the default permission to `App Engine Service Admin` fixed this. Still feeling a bit uneasy as I have no clue what I granted.. – SCBuergel Mar 04 '20 at 04:01
  • 2
    Also needed `App Engine Service Admin` role – evedovelli Jun 12 '20 at 19:05
25

Have got it working now. 

$ gcloud app deploy --log-http --verbosity=debug

The reason why it was failing, seemed to be related to enabling the App Engine API (link was shown in command output). Enable the api - then try deploying again (this time without --log-http as this is resulting in a gcloud crash).

You can enable the "Google App Engine Admin API" through the Google Cloud Platform API console page. https://console.cloud.google.com/apis/api/appengine.googleapis.com/

Community
  • 1
  • 1
npr
  • 4,325
  • 4
  • 20
  • 30
  • Thanks, I spent all morning trying to fix this and your answer saved me. How did you find out about this? I can't see it documented anywhere? – joshhunt Sep 22 '16 at 00:10
  • Are you using node.js flexible environment too ? Yes, its not documented - I think it might be because work is in progress. – npr Sep 22 '16 at 07:09
  • 2
    For reference, see https://cloud.google.com/appengine/docs/admin-api/accessing-the-api for the link to enable the API. – Julian V. Modesto Sep 22 '16 at 20:20
  • @JulianV.Modesto Thanks for the link, any idea why the admin API needs to be enabled to service accounts to work? – joshhunt Sep 22 '16 at 20:23
  • @npr I'm just using the standard php environment but I have a pre-deployment script that gets run in Jenkins. – joshhunt Sep 22 '16 at 20:24
  • @joshhunt : yes having set service accnt permission to editor - it was not obvious - there would be finer permissions to grant. Im using gitlab for CI and CD - I feel its really good. – npr Sep 23 '16 at 08:08
  • I tried a few permission levels, but I did get to work Editor to work... I'll play around more to see if any lower permissions will work. – Julian V. Modesto Nov 22 '16 at 21:19
  • 1
    Looks like Editor is required for now – see this issue https://code.google.com/p/google-cloud-sdk/issues/detail?id=1050 – Julian V. Modesto Nov 25 '16 at 21:16
  • I have the API enabled but still getting that same error. – Rodrigo Ruiz Dec 22 '17 at 15:19
  • I was able to have it working with just these three permissions: - App Engine Deployer - Cloud Build Service Account - Storage Admin – rpadovani Jul 30 '18 at 11:44
  • Strange how the not-so quick start (overly quick start?) doesn't mention this at all https://cloud.google.com/appengine/docs/standard/nodejs/quickstart. And the error message could offer some assistance too. – Gerry Nov 21 '20 at 20:15
10

Run the following command to check weather the project is associated with the correct account.

gcloud config list

If it is not associated with the account then use 

gcloud auth login

to configure it with correct project account.

Bhavesh
  • 109
  • 1
  • 2
  • 1
    The deploy command didn't work after adding a service account. Running `gcloud auth login` and re-loggin fixed the problem for me – Sahar Sep 16 '19 at 13:04
1

If you are trying to deploy a node app this may still be insufficient. My API was enabled and I followed everything on GCP's instructions, however I still got the You do not have permission to access app error. Finally fixed it by adding two more roles to the service account:

  • Project > Browser
  • Cloud Build > Cloud Build Service Account
carnun
  • 150
  • 11
0

To add to npr's answer. Run this in the command if you have not authenticated yourself for your default app/project (after enabling the API):

gcloud auth application-default login
dardawk
  • 456
  • 4
  • 8