If you run into problems deploying your app using the App Engine Admin API, this page lists error messages that you might see and provides suggestions for how to fix each error.
The caller does not have permission to access project
The following error occurs when you deploy your app:
User EMAIL_ADDRESS does not have permission to access project PROJECT_ID (or it may not exist): The caller does not have permission
This error occurs if the account that you used to deploy your app does not have permission to deploy apps for the current project.
To resolve this issue,
grant the
App Engine Deployer (roles/appengine.deployer) role
to the account. To see which account you used to deploy, do one of the
following:
- If you used the
gcloudcommand-line tool to deploy, run thegcloud auth listcommand. - If you deployed from an IDE, view the settings for the Cloud Tools plugin.
Failed to fetch metadata from GCR
The following error occurs when you deploy your app:
Failed to fetch metadata from GCR, with reason: generic::permission_denied
This error occurs if you use the gcloud app deploy command from a service
account that does not have the Storage Admin (roles/storage.admin) role.
To resolve this issue, grant the Storage Admin role to the service account:
- To see which account you used, run the
gcloud auth listcommand. - To learn why assigning only the App Engine Deployer
(
roles/appengine.deployer) role might not be sufficient in some cases, see App Engine roles.
Service accounts must have permissions on the image
The following error occurs when you deploy your app:
The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image IMAGE_NAME
This error occurs if the default App Engine service account does not
have the
Storage Object Viewer (roles/storage.objectViewer) role.
To resolve this issue, grant the Storage Object Viewer role to the service account.
Failed to create cloud build
The following error occurs when you deploy your app:
Failed to create cloud build: Permission denied
This error occurs if you use the gcloud app deploycommand from an account that
does not have the Cloud Build Editor (roles/cloudbuild.builds.editor) role.
To resolve this issue, grant the Cloud Build Editor role to the service account that you are using to deploy your app.
To see which account you used, run the
gcloud auth list command.
Permissions error fetching application
The following error occurs when you deploy your app:
Permissions error fetching application apps/app_name. Please make sure you are using the correct project ID and that you have permission to view applications on the project
This error occurs if the account that you used to deploy your
app doesn't have the App Engine Deployer (roles/appengine.deployer)
role.
To resolve this issue, verify that you have granted the App Engine Deployer role to the service account that you used to deploy your app; grant the role if the service account does not have it. To see which account you used to deploy, do one of the following:
- If you used the
gcloudcommand-line tool to deploy, run thegcloud auth listcommand. - If you deployed from an IDE, view the settings for the Cloud Tools plugin.
Timed out waiting for the app infrastructure to become healthy
The following error occurs when you deploy your app:
Timed out waiting for the app infrastructure to become healthy
Various factors can cause this error, such as missing permissions, code errors, insufficient CPU or memory, or failed health checks. The error only occurs in the App Engine flexible environment.
To resolve this issue, rule out the following potential causes:
Verify that you have granted the Editor (
roles/editorrole to your default App Engine service account.Check whether the organization policy for your project restricts access to external IP addresses. For more information, see App Engine flexible environment known issues.
Verify that you have granted the following roles to the service account that you use to run your application (usually the default service account,
app-id@appspot.gserviceaccount.com):Grant the roles if the service account does not have them.
If you are deploying in Shared VPC setup and passing
instance_taginapp.yaml, refer to this section to fix the issue.
Permissions error when deploying a service with Serverles VPC Connector
The following error occurs when you deploy your app:
Please ensure you have [compute.globalOperations.get] on the service project
This error occurs when the user or service account that is trying to deploy the app with Serverless VPC Connector does not have the required permissions.
To resolve this issue, ensure the user or service account doing the deployment has Serverless VPC Access User and Compute Viewer IAM roles.
Invalid value error when deploying in a Shared VPC setup
The following error shows in Cloud Logging for Flex VM instances when you deploy your app:
Invalid value for field 'resource.tags.items[1]': 'aef-instance'. Duplicate tags are not allowed: aef-instance on compute.instances.insert
This error is because of a current known issue where setting the instance_tag results in errors when creating instances.
To resolve the issue, remove the instance_tag
field from app.yaml and redeploy.
Required 'compute.firewalls.list' permission
The following error occurs when you deploy your app on a Shared VPC network:
Request to https://compute.googleapis.com/compute/v1/projects/projects/PROJECT_ID/global/firewalls?key failed, details: Required 'compute.firewalls.list' permission for 'projects/PROJECT_ID'
This error occurs if the following service accounts for the
host project
do not have the Compute Network User (roles/compute.networkUser) role:
To resolve this issue, verify that you have granted the Compute Network User role to the Google APIs Service Agent and App Engine Flexible Environment Service Agent service accounts for the host project; grant the role if the service accounts do not have it.