This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Error to deploy Google App Engine with gcloud build submit

Posted on 10-10-2024 01:30 AM
rakon92
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello!

I am trying to deploy an app with gcloud build submit and I am launching the command:

gcloud builds submit --substitutions _XXX=dev --project=dev-bbva-devops-metrics --config=cloudbuild.yaml --ignore-file=.gcloudignore --service-account=projects/XXXXX/serviceAccounts/XXXX@appspot.gserviceaccount.com

I use an appspot service account to read artifacts because this is the account which has permissions.

I have the next error and I am not able to fix it:

ERROR: (gcloud.builds.submit) PERMISSION_DENIED: generic::permission_denied: caller does not have permission to act as service account projects/XXX/serviceAccounts/XXXX. This command is authenticated as [MY_EMAIL] which is the active account specified by the [core/account] property

What could be a solution?

 

0 1 1,037
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
-Rhett
Staff
Reply posted on --/--/---- --:-- AM

Hi @rakon92,

Welcome to the Google Cloud Community!

From the error message, it looks like your Appspot service account doesn’t have the necessary permissions to submit a Cloud Build. Here’s how you can grant Identity and Access Management (IAM) permissions to your Appspot service account:

  1. Go to Cloud Build Settings.
  2. From the Service account drop-down, select your Appspot service account.
  3. Enable the App Engine Admin and Service Account User roles, since these are required to deploy on App Engine.
    Rhett_1-1729095671313.png
  4. Try submitting your Cloud Build again.
  5. If the error persists, you might need to enable the Cloud Build Service Account role for your Appspot service account.

To enable the role, go to the IAM page.

  1. Click the checkbox Include Google-provided role grants. Search for your Appspot service account from the list.
    Rhett_2-1729095712026.png

  2. Click the pencil icon to Edit principal in that row, then click Add another role.
  3. Select the Cloud Build Service Account role from the list, then Save.
  4. Check if you can submit your build.

If the error persists, you can try this workaround:

  1. Create a new service account.
  2. Configure it to use Cloud Build, instead of relying on the Appspot service account.

You may also share your Cloud build logs here for more context and diagnosis.

I hope this helps!

0 Likes
Top Solution Authors
View all