Re: Failed to create cloud build - no access to bu...

ChrisVM · 05-30-2024 04:12 PM

Hi - new to App Engine and working through the demo which fails, despite repeated attempts across different projects. I'm running this demo as written in the docs: https://cloud.google.com/appengine/docs/standard/python3/building-app/deploying-web-service. I'm running a straight "gcloud app deploy" and I've done it locally and through the cloud terminal. I'm able to write the files into the bucket fine, but getting "Failed to create cloud build: invalid bucket "staging.testservice2-424922.appspot.com"; default Cloud Build service account or user-specified service account does not have access to the bucket"

I followed the AppEngine troubleshooting guide, giving my user account deploy permissions, and verifying that my cloud build system account has access to the bucket, which it seems to. gcloud auth list shows my user account as the one that is the active credentialed account and I'm signed in (otherwise, shouldn't be able to upload). I've tried giving the cloudbuild account owner permissions and so on to no avail.

I'll also note that I've given the service accounts and my user account the cloud build editor role, and I've enabled the Appengine API as well as the cloud build API. I disabled and re-enabled cloud build as well and that didn't help. The Troubleshooting (https://cloud.google.com/appengine/docs/standard/troubleshooting) doesn't have the precise error message in it, but it does include "Permission denied." I'm finding a bunch of similar issues in Stack Overflow but no consistent solution.

Help?

DamianS

Hello @ChrisVM ,Welcome on Google Cloud Community.

I've created fresh project, downloaded repo, and deployed building-an-app-1 application, as per your tutorial link. I've didn't changed ANY IAM permissions or something. Are you able to provide logs from Logs Explorer while performing gcloud app deploy?

URL with info how to check logs: https://cloud.google.com/appengine/docs/standard/nodejs/building-app/viewing-service-logs

Please enter your numeric choice:  17

Creating App Engine application in project [test-425218] and region [us-central]....done.                                                                                                    
Services to deploy:

descriptor:                  [/home/damian_sztankowski/python-docs-samples/appengine/standard_python3/building-an-app/building-an-app-1/app.yaml]
source:                      [/home/damian_sztankowski/python-docs-samples/appengine/standard_python3/building-an-app/building-an-app-1]
target project:              [test-425218]
target service:              [default]
target version:              [20240602t182335]
target url:                  [https://test-425218.uc.r.appspot.com]
target service account:      [XXXXXXXX.gserviceaccount.com]


Do you want to continue (Y/n)?  Y

Beginning deployment of service [default]...
Created .gcloudignore file. See `gcloud topic gcloudignore` for details.
Uploading 9 files to Google Cloud Storage
11%
22%
33%
44%
56%
67%
78%
89%
100%
100%
File upload done.
Updating service [default]...done.                                                                                                                                                           
Setting traffic split for service [default]...done.                                                                                                                                          
Deployed service [default] to [https://test-425218.uc.r.appspot.com]

You can stream logs from the command line by running:
  $ gcloud app logs tail -s default

To view your application in the web browser run:
  $ gcloud app browse
damian_sztankowski@cloudshell:~/python-docs-samples/appengine/standard_python3/building-an-app/building-an-app-1 (test-425218)$

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

ChrisVM

Hi Damian - thanks for following up. It magically started working on Friday, with no code changes or other permission changes. The only thing I changed at all was my VPC setup, which I reset to the unconfigured standard. I was working on the deploy step just for step 1, before Firebase. I did take a look at the logs and I didn't see anything meaningful that indicated what the problem was. At this stage, the issue is resolved.

DamianS

@ChrisVM
Happy to hear that 🙂 to close this topic, mark most proper reply as solution.
--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

DamianS

Would be also good to know, at which step you are getting this error ? I'm assuming that, "Adding Firebase to your Web Service" as only there I saw info about storage bucket.

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

ChrisVM

Hi Damian - interesting, I decided to try to do a plain static website install to see if it worked. I created an app.yaml and a brand new app engine project. I attempted "gcloud app deploy" and once again got the same error - "default Cloud Build service account or user-specified service account does not have access to the bucket." I tried replicating my permissions from my currently working service to no avail. The source files are uploading fine. What permissions does the staging bucket need to have?

ChrisVM

OK, update; I found that by default the app creation in console is not giving access to the bucket for the service account. This is the account named "Default App Engine service account," typically with the name "service@appspot.gserviceaccount.com." So I had to manually give that service account access to the bucket. However, that seems insuffcient as now the build is failing with a log. I had to give Logs Writer access, and now I get

Step #2 - "build": Already have image (with digest): us.gcr.io/gae-runtimes/buildpacks/google-gae-18/python/builder:python_20240616_RC00

Step #2 - "build": ERROR: failed to create image cache: accessing cache image "us.gcr.io/teststaticservice/app-engine-tmp/build-cache/default/ttl-7d:latest": connect to repo store "us.gcr.io/teststaticservice/app-engine-tmp/build-cache/default/ttl-7d:latest": GET https://us.gcr.io/v2/token?scope=repository%3Ateststaticservice%2Fapp-engine-tmp%2Fbuild-cache%2Fdef...: DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/teststaticservice/locations/us/repositories/us.gcr.io" (or it may not exist)

Finished Step #2 - "build"

ERROR

ERROR: build step 2 "us.gcr.io/gae-runtimes/buildpacks/google-gae-18/python/builder:python_20240616_RC00" failed: step exited with non-zero status: 1

jenishdoshi

Getting the same error. Kindly let me know if you have found any solution to it.

DamianS

Grant for this SA role which contain this permissions:
Artifact Registry Service Agent. This role contain following permissions:

artifactregistry.repositories.downloadArtifacts
artifactregistry.repositories.get
artifactregistry.repositories.readViaVirtualRepository
artifactregistry.versions.delete
pubsub.topics.publish

--
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

jenishdoshi

Sorry which SA should I add this role Artifact Registry Service Agent to?
Thanks for replying

DamianS

Default account created for AppEngine. @ChrisVM explained this here:

"OK, update; I found that by default the app creation in console is not giving access to the bucket for the service account. This is the account named "Default App Engine service account," typically with the name "service@appspot.gserviceaccount.com." So I had to manually give that service account access to the bucket. However, that seems insuffcient as now the build is failing with a log. I had to give Logs Writer access, and now I get"

jenishdoshi

Thanks Damian. Now that issue is resolved. This is a new one.

ERROR: failed to initialize analyzer: validating registry write access: ensure registry read/write access to us.gcr.io/

ERROR: build step 2 "us.gcr.io/serverless-runtimes/google-22-full/builder/nodejs:nodejs_20240708_RC00" failed: step exited with non-zero status: 1

Did you get this error. If yes, how did you resolve it?

DamianS

It looks like permissions errors. Try to add Artifact Registry Writer to your SA.

jenishdoshi

Found the solution. https://cloud.google.com/artifact-registry/docs/transition/setup-gcr-repo This document has a note. Had to add Artifact Registry Create-on-push Writer to the appspot SA.

myconode

Having this same problem and none of these mitigation steps fixed it for me. Trying to deploy a brand new project and have followed all of these instructions ... no luck.

prime-matrix

I have struggling with this staging bucket not available issue for last one week. Google support too has been going back and forth. Can't deploy even a simple hello world python app!! Has anyone been able to overcome it?

joerick

I found a workaround this GCP bug on Stack Overflow - enable the Compute Engine API in the same project that your App Engine service lives.

https://stackoverflow.com/a/78228404/382749

It is crazy that the simple "hello world" example doesn't work out-of-the-box. This really needs to be fixed on GCP's side.

Briltek

I was stuck on this for hours only to realise that instead of clicking "Add another role" I had overwritten the pre-existing 'Editor' role. So, even though I had added the 'Storage Object Viewer' role, I had created another problem. Fix: Ensure your service account has both 'Editor' role and 'Storage Object Viewer' role.

Failed to create cloud build - no access to bucket