Do not have permission to access app while deploying google service account
After creating google service account with permission as shown below - deployment fails with message . I am failing to understand where this is going wrong.
====
$ gcloud iam service-accounts get-iam-policy [email protected]
bindings:
- members:
- serviceAccount:[email protected]
role: roles/owner
etag: Bxxxxxxxxg=
====
$ gcloud auth activate-service-account --key-file ../a.json
Activated service account credentials for: [[email protected]]
$ gcloud app deploy
ERROR: (gcloud.app.deploy) You do not have permission to access app [appid].
Answer
For those who are trying to deploy using a service account and the gcloud commands, you will need to set all of the following roles:
App Engine Deployer(deploy new code)Storage Object Viewer(list images)Storage Object Creator(upload the image)Cloud Build Editor(create build)App Engine Service Admin(promoting the new version)
From the access control docs:
The App Engine Deployer role alone grants adequate permission to deploy using the Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Storage Admin role and Cloud Build Editor role.