Deploying App Engine Flex from Compute Engine with service account

1
votes

I have setup a compute engine instance for centralised maintenance and updating of App Engine Flex instances. One reason for this is to keep the database and other credentials inside the Google Project and not to store them on local development machines.

When I am trying to flex deploy with

gcloud app deploy

I get an error 

ERROR: (gcloud.beta.app.deploy) Permissions error fetching application [<project here>]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.

Service account is default compute engine account and I have enabled Editor role for it in the IAM. I also tried enabling all App Engine roles but it did not change the situation.

Is there a way to make deployments from Compute Engine and if so what would be the correct credentials or am I missing some steps here?

1
google-app-enginegoogle-cloud-platformgoogle-compute-engineapp-engine-flexible

1 Answers

6
votes

I created a new Compute Engine Instance and tried issuing the same command as you are running. I also encountered the same issue. Here is how I've managed to resolve it.

1) Stop the instance

2) Navigate to IAM > Service Accounts > Create Service Account

3) Create a new service account and ensure you add roles for 'App Engine Admin'or 'App Engine Deployer' in addition to 'Storage Admin', 'Project Editor' and 'Cloud Container Builder Editor' to the service account. So in total you should have a minimum of 4 roles assigned to the service account, plus any other roles you think you may need for your application.

4) Edit the stopped instance (from step 1) and change the service account to the new service account you created.

When you restart the instance you should now have the correct permissions/roles to deploy your App Engine Flex App from the instance.

There was an authorisation issue because the Compute Engine default service account isn't assigned the roles required for deploying applications to App Engine flex, as various APIs are utilised in this process. By assigning the roles required for App Engine Flex deployments to a new service account, and then adding the service account to the instance, the instance then has the required authorisation to interact with other GCP APIs needed for App Engine Flex deployments.