App Engine Deployment: An App for Getting Errors
We use a service account to deploy our app to App Engine using Travis.
On each merged PR, Travis pulls the code from our GitHub repository and pulls the Docker Image that contains the Google Cloud SDK and runs gcloud app deploy
. We use a service account for deployment with the Project Owner role.
Everything works fine until I added a new service to the project that automates the generation and renewal of SSL certificates along with a file dispatch.yaml
to route traffic coming from Let's Encrypt to validate the domain. I needed to add additional permissions to renew the SSL certificates we are using for our custom domain. I deleted the current service account and created a new one with a new private key. I created a new role with the required permissions to renew and view SSL certificates in addition to the previous permissions (all permissions appengine.*
). I assigned the new role and the project owner role to the new account. After these changes, the deployment fails when running the command deploy
:
Permissions error fetching application [apps/hollowverse-c9cad]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
I used the same service account on my local machine with the log level set for debug. I got this error:
DEBUG: HttpError accessing <https://appengine.googleapis.com/v1/apps/hollowverse-c9cad?alt=json>: response: <{'status': '403', 'content-length': '335', 'x-xss-protection': '1; mode=block', 'x-content-type-options': 'nosniff', 'transfer-encoding': 'chunked', 'vary': 'Origin, X-Origin, Referer', 'server': 'ESF', '-content-encoding': 'gzip', 'cache-control': 'private', 'date': 'Wed, 02 Aug 2017 14:33:50 GMT', 'x-frame-options': 'SAMEORIGIN', 'alt-svc': 'quic=":443"; ma=2592000; v="39,38,37,36,35"', 'content-type': 'application/json; charset=UTF-8'}>, content <{
"error": {
"code": 403,
"message": "Operation not allowed",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.ResourceInfo",
"resourceType": "gae.api",
"description": "The \"appengine.applications.get\" permission is required."
}
]
}
}
>
DEBUG: (gcloud.beta.app.deploy) Permissions error fetching application [apps/hollowverse-c9cad]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
The description indicates what is required to complete the deployment appengine.applications.get
. Considering the permissions granted to the role assigned to the Travis account that we use for deployment, it is appengine.applications.get
explicitly granted:
I have assigned all possible App Engine and Project roles to the account, but the deployment still fails with the same error. However, using the default service account that is automatically created for every new project on GCP seems to work.
source to share
I deleted the current service account and created a new one with a new private key.
This is where things went wrong. The new account had the same ID as the previous one. While I couldn't find this behavior anywhere, it looks like once the ID is used for the service account, it cannot be used again for a new account, even if the previous one is deleted.
We created a new account with a new ID ( ) instead of ) and the issue is now fixed. travis2
@hollowverse-c9cad.iam.gserviceaccount.com
travis@hollowverse-c9cad.iam.gserviceaccount.com
source to share