Troubleshoot App Engine errors

Deployment

If you run into problems deploying your app using the App Engine Admin API, this page lists error messages that you might see and provides suggestions for how to fix each error.

The caller does not have permission to access project

The following error occurs when you deploy your app:

User EMAIL_ADDRESS does not have permission to access project PROJECT_ID (or it may not exist): The caller does not have permission

This error occurs if the account that you used to deploy your app does not have permission to deploy apps for the current project.

To resolve this issue, grant the App Engine Deployer (roles/appengine.deployer) role to the account. To see which account you used to deploy, do one of the following:

  • If you used the gcloud command-line tool to deploy, run the gcloud auth list command.
  • If you deployed from an IDE, view the settings for the Cloud Tools plugin.

Failed to fetch metadata from the registry

The following error occurs when you deploy your app:

Failed to fetch metadata from the registry, with reason: generic::permission_denied

This error occurs if you use the gcloud app deploy command from a service account that does not have the Storage Admin (roles/storage.admin) role.

To resolve this issue, grant the Storage Admin role to the service account:

  • To see which account you used, run the gcloud auth list command.
  • To learn why assigning only the App Engine Deployer (roles/appengine.deployer) role might not be sufficient in some cases, see App Engine roles.

Service accounts must have permissions on the image

The following error occurs when you deploy your app:

The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image IMAGE_NAME

This error occurs for one of the following reasons:

Failed to create cloud build

The following error occurs when you deploy your app:

Failed to create cloud build: Permission denied

This error occurs if you use the gcloud app deploycommand from an account that does not have the Cloud Build Editor (roles/cloudbuild.builds.editor) role.

To resolve this issue, grant the Cloud Build Editor role to the service account that you are using to deploy your app.

To see which account you used, run the gcloud auth list command.

Permissions error fetching application

The following error occurs when you deploy your app:

Permissions error fetching application apps/app_name. Please make sure you are using the correct project ID and that you have permission to view applications on the project

If you are running Cloud SDK version 328 or later, the following error occurs when you deploy your app:

Permissions error fetching application apps/app_name. Please
make sure that you have permission to view applications on the project and that
SERVICE_ACCOUNT has the App Engine Deployer (roles/appengine.deployer) role.

This error occurs if the account that you used to deploy your app doesn't have the App Engine Deployer (roles/appengine.deployer) role.

To resolve this issue, verify that you have granted the App Engine Deployer role to the service account that you used to deploy your app; grant the role if the service account does not have it. To see which account you used to deploy, do one of the following:

  • If you used the gcloud command-line tool to deploy, run the gcloud auth list command.
  • If you deployed from an IDE, view the settings for the Cloud Tools plugin.

Timed out waiting for the app infrastructure to become healthy

The following error occurs when you deploy your app:

Timed out waiting for the app infrastructure to become healthy

Various factors can cause this error, such as missing permissions, code errors, insufficient CPU or memory, or failed health checks. The error only occurs in the App Engine flexible environment.

To resolve this issue, rule out the following potential causes:

  1. Verify that you have granted the Editor (roles/editor role to your default App Engine service account.

  2. Check whether the organization policy for your project restricts access to external IP addresses. For more information, see App Engine flexible environment known issues.

  3. Verify that you have granted the following roles to the service account that you use to run your application (usually the default service account, app-id@appspot.gserviceaccount.com):

  4. Grant the roles if the service account does not have them.

  5. If you are deploying in Shared VPC setup and passing instance_tag in app.yaml, refer to this section to fix the issue.

Permissions error when deploying a service with Serverless VPC Connector

The following error occurs when you deploy your app:

Please ensure you have [compute.globalOperations.get] on the service project

This error occurs when the user or service account that is trying to deploy the app with Serverless VPC Connector does not have the required permissions.

To resolve this issue, ensure the user or service account doing the deployment has Serverless VPC Access User and Compute Viewer IAM roles.

Invalid value error when deploying in a Shared VPC setup

The following error shows in Cloud Logging for Flex VM instances when you deploy your app:

Invalid value for field 'resource.tags.items[1]': 'aef-instance'. Duplicate
tags are not allowed: aef-instance on compute.instances.insert

This error is because of a current known issue where setting the instance_tag results in errors when creating instances.

To resolve the issue, remove the instance_tag field from app.yaml and redeploy.

Required 'compute.firewalls.list' permission

The following error occurs when you deploy your app on a Shared VPC network:

Request to https://compute.googleapis.com/compute/v1/projects/projects/PROJECT_ID/global/firewalls?key failed, details: Required 'compute.firewalls.list' permission for 'projects/PROJECT_ID'

This error occurs if the following service accounts for the host project do not have the Compute Network User (roles/compute.networkUser) role:

To resolve this issue, verify that you have granted the Compute Network User role to the Google APIs Service Agent and App Engine flexible environment Service Agent service accounts for the host project; grant the role if the service accounts do not have it.

Build during deployment is failing without errors in build logs

The following error occurs when you are deploying your app:

ERROR: (gcloud.app.deploy) Cloud build failed. Check logs at https://console.cloud.google.com/cloud-build/builds/BUILD_ID?project=PROJECT_NUMBER Failure status: UNKNOWN: Error Response: [2] Build failed; check build logs for details

Following the link in the error message shows that all build steps were successful. However, the app failed to build.

This problem occurs if you are using Customer-managed encryption keys (CMEK) or you have set up a data retention policy for your staging.PROJECT_ID.appspot.com bucket.

To resolve this issue, change the following settings for your staging.PROJECT_ID.appspot.com bucket:

Serving

Nginx fails to connect or contact the app container

The following error only occurs in the App Engine flexible environment and typically returns with 502 errors immediately after the error:

recv() failed (104: Connection reset by peer) while reading response header from upstream

This error indicates that nginx reverse proxy (nginx sidecar) is unable to reach the app container. In the logs, you can compare the close timing of the 502 error in the nginx log with the timing of the nginx.error log. A nginx.error followed immediately by a 502 nginx error is likely the cause of the nginx 502 error.

To troubleshoot, check the logs written by the code running in your app container by connecting to the VM instance, and add more logging, if necessary, to find the root cause.