Login/Register
What permission is required for a service account to deploy to Google App Engine using gcloud?
Asked Answered
Solved google-app-enginegcloud
B

7

24

I have created a service account in order to deploy a project to google app engine.

The service account I have created has these two roles:

  1. App Engine -> App Engine Deployer
  2. Storage -> Storage Object Admin

I downloaded the json key file, and then run these commands:

gcloud auth activate-service-account --key-file key.json
gcloud -q app deploy app_deploy.yaml --version 1.0 --promote

I got this error message:

ERROR: (gcloud.app.deploy) Error Response: [403] Operation not allowed

Details: [
  [
    {
      "@type": "type.googleapis.com/google.rpc.ResourceInfo",
      "description": "The \"appengine.applications.get\" permission is required.",
      "resourceType": "gae.api"
    }
  ]
]

What role did I miss to add?

Buxton answered 11/5, 2017 at 2:54 Comment(0)
B
11

It works if I replace the role App Engine -> App Engine Deployer with App Engine -> App Engine Admin.

No idea why Deployer will not be sufficient for app deployment.

Buxton answered 11/5, 2017 at 3:12 Comment(5)
Also might be relevant: cloud.google.com/solutions/…Shantell
I'm not having any luck App Engine Admin even, Project Owner works but anything less and nothing.Cleavage
To date, the following combo did the trick for me: App Engine Deployer, App Engine Service Admin and Cloud Build Service Account. Hope this helps!Kinsella
I think you should turn it into an answer :-)Buxton
Christophe Deliens is right and the permission he mentioned is the least privilege. If you use app engine admin only it can deploy if you use, gcloud -q app deploy app.yaml --no-promote (with no-promote flag). But if you need to promote to default or any other service you need that permission.Vally
O
13

As of January 2020, the documentation for App Engine Roles states:

Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles.

However, this is not completely true:

  1. The cloudbuild.builds.editor is not sufficient (I suspect an error in the doc here). Indeed, the CLI apparently needs the storage.objects.list permission which is provided by cloudbuild.builds.builder.
  2. After deployment, you'll get an error because you don't have permission to change traffic splits. Thus, you need roles/appengine.serviceAdmin.

So, here is the roles list that worked for me:

  • roles/appengine.deployer
  • roles/appengine.serviceAdmin
  • roles/compute.storageAdmin
  • roles/cloudbuild.builds.builder
Outofdate answered 9/1, 2020 at 11:22 Comment(2)
This works, except I had to do Cloud Build Service Account instead of Cloud Build Builds Builder. Also, the storage admin role only needs to be added to the staging bucket and doesn't need to be for the whole project.Demo
Note that the docs are updated: cloud.google.com/appengine/docs/standard/…. They specify roles/appengine.deployer, roles/iam.serviceAccountUser as a bare minimum. FWIW I also needed to add serviceAdmin so that my pipeline could update traffic splits etc. However it's possible that it could be done with a less powerful role.Expositor
B
11

It works if I replace the role App Engine -> App Engine Deployer with App Engine -> App Engine Admin.

No idea why Deployer will not be sufficient for app deployment.

Buxton answered 11/5, 2017 at 3:12 Comment(5)
Also might be relevant: cloud.google.com/solutions/…Shantell
I'm not having any luck App Engine Admin even, Project Owner works but anything less and nothing.Cleavage
To date, the following combo did the trick for me: App Engine Deployer, App Engine Service Admin and Cloud Build Service Account. Hope this helps!Kinsella
I think you should turn it into an answer :-)Buxton
Christophe Deliens is right and the permission he mentioned is the least privilege. If you use app engine admin only it can deploy if you use, gcloud -q app deploy app.yaml --no-promote (with no-promote flag). But if you need to promote to default or any other service you need that permission.Vally
V
3

These roles worked for me. I'm using gcloud to deploy from AppVeyor.

  • App Engine Deployer
  • App Engine Service Admin
  • Cloud Build Service Account
  • Service Account User

Reference: https://github.com/google-github-actions/setup-gcloud/issues/191#issuecomment-706039046

Varela answered 29/12, 2020 at 0:27 Comment(0)
C
1

I'm still parsing all of the various docs about this myself, but I stumbled upon this list of predefined GAE roles, complete with the definition of the permissions they had. "Deployer" seems like kind of a misnomer...they maybe should have called it "NewDeployer" or something like that. Hope this helps!

EDIT - here's also the App Engine-specific list of roles.

Cheers! inger

Chidester answered 7/6, 2017 at 22:29 Comment(0)
L
1

You don't need to grant Admin role for Storage.

You should only need grant following roles for service account:

  • App Engine Deployer
  • Storage Object Creator for only bucket staging.<project-id>.appspot.com
  • Storage Object Viewer for only bucket staging.<project-id>.appspot.com

You may got some error because service account do not have permission to change traffic to new version (you have just deployed). But deploy was successful & you can migrate to new version from console.

Following is message from my case.

[INFO] GCLOUD: ERROR: (gcloud.app.deploy) Your deployment has succeeded, but promoting the new version to default failed. You may not have permissions to change traffic splits. Changing traffic splits requires the Owner, Editor, App Engine Admin, or App Engine Service Admin role. Please contact your project owner and use the gcloud app services set-traffic --splits <version>=1 command to redirect traffic to your newly deployed version.

Lawhorn answered 25/2, 2019 at 11:47 Comment(0)
G
0

You can use App Engine Deployer or App Engine Admin

Depends on your needs.

In addition, according to the GCP App Engine doc, you need to add three more rolls; https://cloud.google.com/appengine/docs/standard/roles

To deploy new versions, you must also have the Service Account User (roles/iam.serviceAccountUser) role on the assigned App Engine service account, and the Cloud Build Editor (roles/cloudbuild.builds.editor), and Cloud Storage Object Admin (roles/storage.objectAdmin) roles on the project.

 roles/iam.serviceAccountUser
 roles/cloudbuild.builds.editor
 roles/storage.objectAdmin
Goodden answered 1/2, 2024 at 7:51 Comment(0)
S
0

I found the docs on the Github action deploy-appengine helpful: https://github.com/google-github-actions/deploy-appengine

The caller must have the following Google Cloud IAM Roles:

App Engine Admin (roles/appengine.appAdmin) to manage all App Engine resources and create new services and versions.

Storage Admin (roles/storage.admin) to upload files to Cloud Storage to store source artifacts.

Cloud Build Editor (roles/cloudbuild.builds.editor) to build the service.

Artifact Registry Reader (roles/artifactregistry.reader) to view & get artifacts for implementing CI/CD pipeline.

Service Account User (roles/iam.serviceAccountUser) permissions on the runtime service account to deploy the service. The default runtime service account is [email protected], but you can also customize the service account in your app.yaml file.

(optional) Cloud Scheduler Admin (roles/cloudscheduler.admin) to schedule tasks

Note: An owner will be needed to create the App Engine application.

Sturgill answered 23/5, 2024 at 1:36 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.