Deploy Google App From Compute Engine
GCPI was trying to deploy a Google App Engine from a Compute Engine.
I was stuck with the following message.
ERROR: (gcloud.app.deploy) Permissions error fetching application [apps/nsirap]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.I gave App Engine Admin, Cloud Build Editor and Storage Admin as seen on many post. I was sure about project name vs project ID as seen on many stack overflow comments. But still lack of privileges. Activated various API like cloud app engine admin.
I tried the output of gcloud app deploy --log-http --verbosity=debug as advice everywhere.
www-authenticate: Bearer realm="https://accounts.google.com/", error="insufficient_scope", scope="https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/cloud-platform.read-only"
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
-- headers end --
-- body start --
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"status": "PERMISSION_DENIED"
}
}
Still insufficient_scope.
My mistack was easy, but spend some time on it...
On the VM instance, there is a scope to API, to activate. Stop the instance and edit the following. Obviously, open all the API is not a best practice, but help to spot the problem.
Cloud API access scopes
Allow full access to all Cloud APIs
Update 01/06/2019
Here some more explanations, now that I learned more about GCP.
Their is two access type for VMs, this is very specifics for compute engine.
- IAM, the global and powerful access management system. With the default service account for Compute engine.
- Scope, historical ACL to grand access.
Even if you authenticate the gcloud with your account, not recommended, you cannot access it if the VM has not the
appropriate scope.