2

I have the following error when I try to build my app on GCP App Engine, my app environment is ideed a flexible one. But I don't know if my App Engine environment is flex or not.

If that's the case how can I set my environment to flex in GCP App Engine?

ERROR: (gcloud.app.deploy) Error Response: [7] The App Engine appspot and App Engine 
flexible environment service accounts must have permissions on the image 
[eu.gcr.io/["key file"]/appengine/default.20220514t124713:latest]. Please check 
that the App Engine default service account has the [Storage Object Viewer] role and the 
App Engine  Flexible service account has the App Engine Flexible Environment Service 
Agent role

I'm building on Travis CI using the right .travis format and I receive this error. I also tried to build this directly on Cloud Shell terminal in GCP, but I have the same error.

This is my app.yaml file:

env: flex
runtime: custom
service: default
manual_scaling:
  instances: 1
resources:
  cpu: 1

This is what I have in IAM permissions:

enter image description here

maximus383
  • 584
  • 8
  • 25
  • I don't really understand the question, did you already perform the 2 tasks mentioned in the error message and it is still not working? Fwiw, The default app-engine service account is YOUR_PROJECT_ID@appspot.gserviceaccount.com , which you could also see in the IAM console. That being said, this sounds like a new deployment and I really don't see why you would deploy to appengine flex instead of cloud run nowadays (I might be missing something, but I can only think of downsides). – somethingsomething May 14 '22 at 13:59
  • Unless you've changed the value in `app.yaml`, you're using flex (`env: flex`). IIRC flex only uses the default Compute Engine service account (`{project-number}-compute@developer.gserviceaccount.com`) and you will need to grant it IAM [role](https://cloud.google.com/storage/docs/access-control/iam-roles) `storage.objectViewer` so that it may pull the "image" from Container Registry (which is backed by Cloud Storage). – DazWilkin May 14 '22 at 15:21
  • **NOTE** `{project-number}` not Project ID can be found using `gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)"`. – DazWilkin May 14 '22 at 15:22
  • @DazWilkin so how can I grant the role objectViewer from IAM? – maximus383 May 14 '22 at 15:49
  • @DazWilkin I updated the question with a picture of what I have as permissions in IAM, So tell me what I do wrong. I don't find any `@developer.gserviceaccount.com` – maximus383 May 14 '22 at 15:57
  • I think I was incorrect and App Engine flexible does not use the Compute Engine default service account. It does appear to use both App Engine appspot and App Engine flexible environment service accounts per the error message. You appear to not have the appspot account listed in your IAM policy. The App Engine flexible environment Service Agent appears correct. Is it possible that the appspot (`{project-id}@appspot.gserviceaccount.com`) binding was deleted? I think it defaults to `roles/editor` – DazWilkin May 14 '22 at 16:33
  • @DazWilkin so if it was deleted is there a way to readded? – maximus383 May 14 '22 at 19:07
  • 1
    You can determine its email address (`{project-id}@appspot.gserviceaccount.com`) and you should be able to simply re-add it to the IAM policy... Give it `roles/editor`. It's a Google-managed (owned) Service Account and so you can't delete the Service Account itself, just the role binding. – DazWilkin May 14 '22 at 23:44
  • @DazWilkin solved it, thank you for your answer – maximus383 May 15 '22 at 20:10
  • 1
    I'm pleased to hear it! – DazWilkin May 16 '22 at 02:40

2 Answers2

1

@DazWilkin solved it. To solved it I needed to add to IAM the ({project-id}@appspot.gserviceaccount.com), to build the project correctly.

"You can determine its email address ({project-id}@appspot.gserviceaccount.com) and you should be able to simply re-add it to the IAM policy... Give it roles/editor. It's a Google-managed (owned) Service Account and so you can't delete the Service Account itself, just the role binding." - @DazWilkin

maximus383
  • 584
  • 8
  • 25
0

This troubleshooting guide:

https://cloud.google.com/appengine/docs/standard/troubleshooting#service-account-permissions

should solve your issue. I had the same issue and fixed it by granting the Storage Object Viewer role to the default App Engine service account.

MrMuppet
  • 547
  • 1
  • 4
  • 12
Mohamed ElHalaby
  • 1
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 25 '23 at 09:19