IAM loses permissions to deploy

[Günter Grodotzki]

Every now and then my IAM user / service account that I created loses the ability to do deploys:

HttpException: Permissions error fetching application [apps/PROJECT_ID]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.

Nothing changed on the permissions, everything was working fine. Even if I give that IAM user ownership rights it still does not work anymore.

I can not even solve it by recreating the user, but must either create a completely new/different user-name (see: https://opcode12311.blogspot.co.za/2011/09/ssl-app-engine-deploy-permissions-error.html) or create a new project.

Question: why do IAM users lose permissions and what is the recommended way to automate deploys via jenkins?

I do the following on my jenkins nodes:

> gcloud config configurations create {{ item.name }} --quiet

> gcloud auth activate-service-account {{ item.account }} --key-file={{ jenkins_home }}/.gcloud-service-accounts/{{ item.name }}.json --configuration={{ item.name }} --quiet

> gcloud config set core/project {{ item.name }} --configuration={{ item.name }} --quiet

[George (Cloud Platform Support)]

Hello Günter, 

More information is needed to set the basis of an effective investigation. You mention you "give that IAM user ownership", which account do you mean, exactly? The service accounts for your project did not change since August. You cannot re-create the same user with an identical name, even when having deleted the initial user. You need to create a differently-named user. 

Why do you need to create a new project, if you create a new user? 

What is the output of the gcloud info command? 

What messages do you receive if you run the mentioned gcloud commands with the --verbosity debug flag? 

Have you tried running the gcloud iam command? 

To protect your private information, it is better to send replies through private email, by using the drop-down menu of the "reply" command at the top right of the edit window. 

[Günter Grodotzki]

ok I was able to "solve" the issue.

on the build server I have multiple service accounts added that are bound to a project.

So when running "gcloud app deploy app.yml --version httpredir-master --project ninejkh-httpredir" it would usually select the correct configuration + service account.

I confirmed by running "gcloud config configurations list" that those "mappings" are still in order, however I also noticed that a specific account is set active which might not be correct.

For now, by explicitly setting the configuration name as arg on the app-deploy command, solves the issue - it selects the correct service account and can deploy again.

I think it would be more straightforward in any case to explicitly set the configuration-name when running gcloud commands...