I'm using the gcloud SDK to try to deploy a Dockerfile and app.yaml to app engine. My App Engine service account has Project Editor and Storage Admin and SQL Client roles, and the Cloud Build, App Engine, and App Engine Flexible APIs are all enabled. Nonetheless, I keep encountering this error with gcloud beta:
ERROR: (gcloud.beta.app.deploy) Error Response: [7] Unable to write to staging bucket staging.
<project name>.appspot.com. Please grant access to the App Engine service account on your project
by visiting https://console.developers.google.com/storage/browser?project=<project name>
and this (less clear) error with vanilla gcloud:
ERROR: (gcloud.app.deploy) INVALID_ARGUMENT: unable to resolve source
In a different sandbox/dev project, I didn't have this issue, but in this production project, that hasn't been the case. Adding the SAs manually makes no difference. And weirdly, the deploy is writing the files to the staging bucket, so I don't trust this error. Where it seems to be failing is the step immediately after that--maybe App Engine Flexible service account agent wants to access them; maybe the Dockerfile needs to be passed onward to Cloud Build SA; but in any case, I have tried every combination of granting bucket access to both App Engine and Cloud Build SAs and their agents as well, and it hasn't worked.
My user account has app engine deployer role assigned to it, and even impersonating the App Engine account with its editor role didn't make a difference. Cloud Build has App Deployer role as well.
gcloud beta app deploy, why not usegcloud app deploy? This could be part of the issue. – Rafael Lemos