Deploy Google App From Compute Engine

I was trying to deploy a Google App Engine from a Compute Engine.

I was stuck with the following message.

ERROR: ( Permissions error fetching application [apps/nsirap]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.

I gave App Engine Admin, Cloud Build Editor and Storage Admin as seen on many post. I was sure about project name vs project ID as seen on many stack overflow comments. But still lack of privileges. Activated various API like cloud app engine admin.

I tried the output of gcloud app deploy --log-http --verbosity=debug as advice everywhere.

www-authenticate: Bearer realm="", error="insufficient_scope", scope=""
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
-- headers end --
-- body start --
  "error": {
    "code": 403,
    "message": "Request had insufficient authentication scopes.",
    "status": "PERMISSION_DENIED"

Still insufficient_scope.

My mistack was easy, but spend some time on it…

On the VM instance, there is a scope to API, to activate. Stop the instance and edit the following. Obviously, open all the API is not a best practice, but help to spot the problem.

Cloud API access scopes
Allow full access to all Cloud APIs


Update 01/06/2019

Here some more explanations, now that I learned more about GCP.

Their is two access type for VMs, this is very specifics for compute engine.

  • IAM, the global and powerful access management system. With the default service account for Compute engine.
  • Scope, historical ACL to grand access.

Even if you authenticate the gcloud with your account, not recommended, you cannot access it if the VM has not the appropriate scope.