What permission is required for a service account to deploy to Google App Engine using gcloud?
It works if I replace the role App Engine -> App Engine Deployer with App Engine -> App Engine Admin.
No idea why Deployer will not be sufficient for app deployment.
As of January 2020, the documentation for App Engine Roles states:
Note: The App Engine Deployer (roles/appengine.deployer) role alone grants adequate permission to deploy using the App Engine Admin API. To use other App Engine tooling, like gcloud commands, you must also have the Compute Storage Admin (roles/compute.storageAdmin) and Cloud Build Editor (cloudbuild.builds.editor) roles.
However, this is not completely true:
- The
cloudbuild.builds.editoris not sufficient (I suspect an error in the doc here). Indeed, the CLI apparently needs thestorage.objects.listpermission which is provided bycloudbuild.builds.builder. - After deployment, you'll get an error because you don't have permission to change traffic splits. Thus, you need
roles/appengine.serviceAdmin.
So, here is the roles list that worked for me:
roles/appengine.deployerroles/appengine.serviceAdminroles/compute.storageAdminroles/cloudbuild.builds.builder