Google app engine deployment using wrong service account?

Question

I have this app that's been running on Google App Engine for a good couple of years. Today I needed to modify its app.yaml file, but when I ran "gcloud app deploy" I got this error:

Updating service [default]...failed.
ERROR: (gcloud.app.deploy) Error Response: [7] Failed to create cloud build: service account "redacted@cloudbuild.gserviceaccount.com" has insufficient permission to execute the build on project "redacted"

It appears that the default service account no longer has the necessary permissions. In fact, it may have been deleted completely, because I don't see it listed under gcloud projects get-iam-policy xxxx. What I see instead is this:

serviceAccount:service-redacted@gcp-sa-cloudbuild.iam.gserviceaccount.com

with a correct-looking role cloudbuild.serviceAgent.

I tried googling any changes related to GAE service accounts but didn't find any useful references. I followed the solution to this question, but it didn't help.

The question is, how do I change the permissions of the service account mentioned in the original error message, or, how do I tell GAE to use another (correct) service account when deploying my app?

Answer 1

1. According to [this][1] documentation ...To deploy new versions, a member must have the Service Account User (roles/iam.serviceAccountUser) role on the App Engine default service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor) and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.....

2. Using the IAM page you can add the email address of the person deploying (the one you have authenticated via gcloud) and add the above roles to that email [1]: https://cloud.google.com/iam/docs/understanding-roles?hl=en#app-engine-roles