I have GO application and tried to deploy it to the google app engine with google command line sdk from a local machine with a custom service account.
I create a custom service account with roles:
And authorized locally with this account:
gcloud auth activate-service-account account_name@project-name.iam.gserviceaccount.com --key-file=key.json
Also, I configure the service account in my app.yaml:
service_account: account_name@project-name.iam.gserviceaccount.com
But when i try to deploy
gcloud app deploy -v 1
I get the error:
Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Operation is not allowed. The "vpcaccess.connectors.use" permission is required.
I can not understand why vpcaccess.connectors.use permission still required even I have Serverless VPC Access User role? I found the role on this google docs page
Maybe someone has met with a similar difficulty? Please help me)
UPD even i give Owner role i steel have the error
One way to fix this error is by removing vpc_access_connector:
configuration from app.yaml, however that means your app engine needs to connect via the internet to reach the resources on your subnet.
If you do need vpc_access_connector configured, add
Serverless VPC Access User
and Compute Viewer
IAM roles to the service account doing the deployment. Add the roles to the project where the VPC Access connector is configured.
This error will also appear when the connector does not exist (or exists somewhere else).
Check the project-id, region and connector name in app.yaml are correct and refer to a connector that exists in https://console.cloud.google.com/networking/connectors/list?project=<project_id>
vpc_access_connector:
name: projects/project-id/locations/the-zone/connectors/my-connector-name
If you have a Shared VPC, the serverless access connector can either be in the host project or the service project. See: Configure connectors in Shared VPC service projects
If the connector is on a host project of a Shared VPC you must give the deploying service account Serverless VPC Access Viewer
(vpcaccess.viewer) role on the host project.
Compute Network Viewer
(compute.networkViewer) on the host is also recommended.