User permissions question

[Dave Chen]

Simple question: I'm trying to setup a new project with a user to administer and deploy AppEngine applications. Ideally the user will have as limited an IAM role as possible. My first try is to give the user

- Project Editor

- AppEngine.admin

But when running ``gcloud app create`` the return is "insufficient permissions". I've not been able to find this described in the documentation--can someone please lend a hand?
Thanks!

-dave

[Nicholas (Google Cloud Support)]

The roles you've specified (Project Editor and App Engine Admin) should be sufficient to allow a given account to deploy an App Engine application to your project.  The Access Control article shows a helpful matrix of App Engine roles and the abilities they grant.  You may also want to consider App Engine Deployer for even more restrictive permissions allowing deployment only, no management of config (dispatch, cron, etc) changes depending on the roles the user plays.

As for the 403 encountered by said user, it may be that the member that you added to the project is not the credential used by that user with they ran gcloud auth login.  They can use gcloud info to see what account the gcloud commands are being invoked from.  If they are logged authenticated with gcloud using use...@your-domain.com and use...@your-domain.com has both Project Editor and App Engine Admin roles associated with it, I'd recommend filing a new issue with on the Google Cloud Platform public issue tracker.  If doing so, be sure to include a link to it here.  This way, I can make the issue private so you can safely provide the project ID, timestamps and username in question so that we can investigate this more thoroughly.

[Nicholas (Google Cloud Support)]

I must apologize as this was partly incorrect.  While the roles you specified allow one to Deploy a new version of the application, one still cannot create an App Engine application (gcloud app create).  This, though only required one time, should be done from an account with the Project Owner role.  I hope that clarifies the confusion.

[Dave Chen]

Hi Nick, thanks very much for confirming what we had seen. Looking at the Access Control article it was not apparent that Project Owner was required for the first step.

Best,

-dave

On Monday, February 13, 2017 at 11:24:56 AM UTC-5, Dave Chen wrote:

[Nicholas (Google Cloud Support)]

Agreed.  gcloud app create under the hood essentially invokes app.create which requires very wide reaching https://www.googleapis.com/auth/cloud-platform scope.  I've submitted some feedback to the documentation suggesting that app creation requirements be mentioned on the Access Control article as it does relate to App Engine actions while requiring permissions outside the App Engine.