Appengine gcloud 部署使用自定義服務帳戶

Question

我想將 API 部署到 App Engine 但它最終使用了錯誤的服務帳戶。 我在 gitlab 中使用了這 3 行 cmd：

 - gcloud auth activate-service-account --key-file /tmp/$CI_PIPELINE_ID.json
 - gcloud config set account NameOfServiceAccount.com
 - gcloud app deploy

我得到的是

target service account:      [App Engine default service account]
Do you want to continue (Y/n)?  
Beginning deployment of service [lettering-back]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 2 files to Google Cloud Storage                ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as

Answer 1

要部署新版本，成員必須在 App Engine 默認服務帳戶上具有服務帳戶用戶 (roles/iam.serviceAccountUser) 角色，以及 Cloud Build Editor (roles/cloudbuild.builds.editor) 和 Cloud Storage Object Admin（角色/storage.objectAdmin) 項目上的角色。

更具體地說，對於您的錯誤消息，您需要在您的服務帳戶上使用roles/iam.serviceAccountUser ，其密鑰是您放置在/tmp/$CI_PIPELINE_ID.json的密鑰

參考：第一表行在https://cloud.google.com/appengine/docs/standard/python/roles#predefined_roles