4

I have two GCP projects. projectA contains an artifact registry where I store my docker images, projectB is where I want to use such an image to deploy it with app-engine (flexible).

Here's how my command looks like:

gcloud app deploy --project=projectB --version=test1 --image-url="asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest"

It fails like this:

ERROR: (gcloud.app.deploy) Error Response: [7] The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image [asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest]. Please check that the App Engine default service account has the [Storage Object Viewer] role and the App Engine Flexible service account has the App Engine Flexible Environment Service Agent role

I ensured that the App Engine default service account has the Storage Object Viewer role (in both projects), however I cannot find an App Engine Flexible service account anywhere.

Gourav B
  • 864
  • 5
  • 17
valenterry
  • 757
  • 6
  • 21

2 Answers2

3

On Google Cloud, you have 2 container registry product: Container registry and artifact registry.

When you use Container Registry, the legacy one, the Kunal answer is correct, you need to grant the service account as Storage Object Viewer on your project.

However, a major evolution of the new registry Artifact Registry, is the IAM compatibility. This time you can grant, not a project scope (even if you can, but I don't recommend it), but at registry scope. And you have an IAM role dedicated to that.

Go to Artifact Registry, select it (check box on the left) and go to the permission panel on the right hand side enter image description here

Click on add member, add your service account and select the correct role, here artifact reader is enough enter image description here

(it also works if you grant your service account at project scope of course, with the same role)

EDIT 1

You can grant this role at project level also enter image description here

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Thank you so much, that was precisely it! I'm only surprised that these permissions are apparently only visible/settable at this location, not in the general IAM section. Any insight on why that is? – valenterry Aug 16 '21 at 09:06
  • 1
    You can do it in the "general IAM section" -> project level scope. I updated my answer – guillaume blaquiere Aug 16 '21 at 10:47
2

You will need to make sure that App Engine default service account of projectB has access to gcs bucket in projectA.

You should go to projectA to "IAM" (not "Service Accounts"), There you will be able to add the email address of App Engine default service account from projectB.

Kunal Deo
  • 2,248
  • 2
  • 18
  • 27
  • I tried that one. In projectA, I added the member with `member name`= `projectB@appspot.gserviceaccount.com`, `name` = `App Engine default service account` (was automatically set) and giving it the role `Storage Object Viewer` (also tried `Storage Object Admin`). I waited ~15min for the permissions to propagate correctly, but the error message is unchanged. I also set `service_account: "projectB@appspot.gserviceaccount.com"` in the `app.yaml` to make sure it uses the correct account. – valenterry Aug 16 '21 at 05:58