App Engine Deployer role is missing permissions to carry out the --stop-previous-version

[Alan Kayahan]

Hello,

I have created an account dedicated to deploying a node application on our AppEngine. The account is assigned the "App Engine Deployer" role, and used by GitHub actions to deploy on git push. 

It deploys just fine, however the previous versions remain active and incur charges unnecessarily. To prevent this, I added the --stop-previous-version argument to gcloud deploy command. However I get the following warning.

Stopping version [xxxx/default/20200603t153013].

WARNING: Error stopping version [xxxx/default/20200603t153013]: PERMISSION_DENIED: The caller does not have permission

WARNING: Version [xxxx/default/20200603t153013] is still running and you must stop or delete it yourself in order to turn it off. (If you do not, you may be charged.)

The problem is resolved if I create a custom role, copying all the permissions from the default "App Engine Deployer", plus adding the "appengine.instances.delete" permission. So my questions are,

1) .delete is over-granting when the requirement is .stop which does not exist as a permission. Is there any plan on introducing finer grained permissions?

2) Any plans on updating the built-in "App Engine Deployer" role to support the --stop-previous-version argument? I read way too many incidents of being overcharged due to multiple versions running simultaneously (which is another discussion of its own on why this is the default instead of being an option), and the current state of the corresponding role is not exactly helping.

Best,

Alan 

[David (Cloud Platform Support)]

Hello,

You are able to create a feature request for each of your inquiries:

1-To introduce a finer grained permissions that only includes .stop

2-For the App Engine Deployer role to support the --stop-previous-version argument

Then you would just need to follow those feature requests for any updates.

[Alan Kayahan]

Fantastic, thanks David!

--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/92f824c7-b8d0-40d1-8759-fa463fcd2c78o%40googlegroups.com.

---

This e-mail (including any attachments) is intended for the named addressee only and is confidential. In addition, it may contain copyright material of Amodi Software GmbH, or third parties. As such, the information in it and its attachments may not be used or disclosed except for the purpose for which it has been sent. If you have received this message in error, please contact Amodi Software GmbH immediately by return email, and delete it from your system. You should not read, copy, print, re-transmit, disclose, modify, store, or act in reliance on this email or any attachments. Any confidentiality is not waived or lost because this email has been sent to you by mistake. Unless otherwise stated, this email represents the views of the sender only and not the views or the policy of the Amodi Software GmbH. Although email contents and attachments have been checked for any computer viruses or other harmful items, Amodi Software GmbH does not accept any liability for loss or damage as a result of any such problems.