Login/Register
gcloud app deploy eror The "vpcaccess.connectors.use" permission is required
Asked Answered
Solved google-app-enginegoogle-cloud-platformpermissionspermission-denied
I

3

8

I have GO application and tried to deploy it to the google app engine with google command line sdk from a local machine with a custom service account.

I create a custom service account with roles:

  • App Engine Admin
  • Cloud Build Service Account
  • Cloud Build Service
  • Agent Serverless VPC Access User

And authorized locally with this account:

gcloud auth activate-service-account [email protected] --key-file=key.json

Also, I configure the service account in my app.yaml:

service_account: [email protected]

But when i try to deploy

gcloud app deploy -v 1

I get the error:

Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage                ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Operation is not allowed. The "vpcaccess.connectors.use" permission is required.

I can not understand why vpcaccess.connectors.use permission still required even I have Serverless VPC Access User role? I found the role on this google docs page

Maybe someone has met with a similar difficulty? Please help me)

UPD even i give Owner role i steel have the error

Isotonic answered 5/11, 2021 at 5:48 Comment(0)
I
3

Ok i fix this error by removing vpc_access_connector: configuration from app.yaml

UPD But if you need to configure vpc_access_connector you need to add Serverless VPC Access User and Compute Viewer IAM roles and all must work fine.

Isotonic answered 5/11, 2021 at 6:40 Comment(0)
N
12

One way to fix this error is by removing vpc_access_connector: configuration from app.yaml, however that means your app engine needs to connect via the internet to reach the resources on your subnet.

If you do need vpc_access_connector configured, add Serverless VPC Access User and Compute Viewer IAM roles to the service account doing the deployment. Add the roles to the project where the VPC Access connector is configured.

This error will also appear when the connector does not exist (or exists somewhere else).

Check the project-id, region and connector name in app.yaml are correct and refer to a connector that exists in https://console.cloud.google.com/networking/connectors/list?project=<project_id>

vpc_access_connector:
  name: projects/project-id/locations/the-zone/connectors/my-connector-name

If you have a Shared VPC, the serverless access connector can either be in the host project or the service project. See: Configure connectors in Shared VPC service projects

If the connector is on a host project of a Shared VPC you must give the deploying service account Serverless VPC Access Viewer (vpcaccess.viewer) role on the host project. Compute Network Viewer (compute.networkViewer) on the host is also recommended.

Negrophobe answered 4/3, 2022 at 0:8 Comment(0)
I
3

Ok i fix this error by removing vpc_access_connector: configuration from app.yaml

UPD But if you need to configure vpc_access_connector you need to add Serverless VPC Access User and Compute Viewer IAM roles and all must work fine.

Isotonic answered 5/11, 2021 at 6:40 Comment(0)
G
0

For those deploying 2nd gen Cloud Functions facing this issue, make sure it's the right accounts being granted the necessary roles.

There's two project numbers that you will be concerned with: The HOST_PROJECT_NUMBER and SERVICE_PROJECT_NUMBER.

  1. Ensure the service account service-SERVICE_PROJECT_NUMBER@gcp-sa-vpcaccess.iam.gserviceaccount.com has the Serverless VPC Access Service Agent role.
  2. Add a new Principal called Cloud Run Service Agent of the form service-SERVICE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com
  3. Assign vpcaccess.user, cloudfunctions.serviceAgent, compute.viewer roles to this Cloud Run Service Agent service-SERVICE_PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com
  4. Add a new Principal called Cloud Function Service Agent of the format service-SERVICE_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com where SERVICE_PROJECT_NUMBER is the Service Project Number which needs to be granted a role in the host project
  5. Grant Serverless VPC Access User and Compute Network User role to Cloud Functions Service Agent service-SERVICE_PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com

Reference: https://cloud.google.com/knowledge/kb/second-generation-cloud-functions-deployment-fails-000005033

Gerlachovka answered 13/7, 2024 at 9:37 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.