google-app-enginegoogle-cloud-platformpermissionspermission-denied

gcloud app deploy eror The "vpcaccess.connectors.use" permission is required


I have GO application and tried to deploy it to the google app engine with google command line sdk from a local machine with a custom service account.

I create a custom service account with roles:

And authorized locally with this account:

gcloud auth activate-service-account account_name@project-name.iam.gserviceaccount.com --key-file=key.json

Also, I configure the service account in my app.yaml:

service_account: account_name@project-name.iam.gserviceaccount.com

But when i try to deploy

gcloud app deploy -v 1   

I get the error:

Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage                ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: Operation is not allowed. The "vpcaccess.connectors.use" permission is required.

I can not understand why vpcaccess.connectors.use permission still required even I have Serverless VPC Access User role? I found the role on this google docs page

Maybe someone has met with a similar difficulty? Please help me)

UPD even i give Owner role i steel have the error


Solution

  • One way to fix this error is by removing vpc_access_connector: configuration from app.yaml, however that means your app engine needs to connect via the internet to reach the resources on your subnet.

    If you do need vpc_access_connector configured, add Serverless VPC Access User and Compute Viewer IAM roles to the service account doing the deployment. Add the roles to the project where the VPC Access connector is configured.

    This error will also appear when the connector does not exist (or exists somewhere else).

    Check the project-id, region and connector name in app.yaml are correct and refer to a connector that exists in https://console.cloud.google.com/networking/connectors/list?project=<project_id>

    vpc_access_connector:
      name: projects/project-id/locations/the-zone/connectors/my-connector-name
    

    If you have a Shared VPC, the serverless access connector can either be in the host project or the service project. See: Configure connectors in Shared VPC service projects

    If the connector is on a host project of a Shared VPC you must give the deploying service account Serverless VPC Access Viewer (vpcaccess.viewer) role on the host project. Compute Network Viewer (compute.networkViewer) on the host is also recommended.