[google-appengine] Re: User permissions question

['Nicholas (Google Cloud Support)' via Google App Engine]

The roles you've specified (*Project Editor* and *App Engine Admin*) should 
be sufficient to allow a given account to deploy an App Engine application 
to your project.  The Access Control article 

 
shows a helpful matrix of App Engine roles and the abilities they grant. 
 You may also want to consider *App Engine Deployer* for even more 
restrictive permissions allowing deployment only, no management of config 
(dispatch, cron, etc) changes depending on the roles the user plays.

As for the *403* encountered by said user, it may be that the member that 
you added to the project is not the credential used by that user with they 
ran *gcloud auth login 
*.  They can use 
*gcloud 
info * to see what 
account the gcloud commands are being invoked from.  If they are logged 
authenticated with gcloud using *use...@your-domain.com* and 
*use...@your-domain.com* has both *Project Editor* and *App Engine Admin* 
roles associated with it, I'd recommend filing a new issue with on the Google 
Cloud Platform public issue tracker 
.  If doing 
so, be sure to include a link to it here.  This way, I can make the issue 
private so you can safely provide the project ID, timestamps and username 
in question so that we can investigate this more thoroughly.

On Monday, February 13, 2017 at 11:24:56 AM UTC-5, Dave Chen wrote:
>
> Simple question: I'm trying to setup a new project with a user to 
> administer and deploy AppEngine applications. Ideally the user will have as 
> limited an IAM role as possible. My first try is to give the user
> - Project Editor
> - AppEngine.admin
>
> But when running ``gcloud app create`` the return is "insufficient 
> permissions". I've not been able to find this described in the 
> documentation--can someone please lend a hand?
> Thanks!
> -dave
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/3e228218-83d6-4c84-8a65-d87ee231e124%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[google-appengine] Re: User permissions question

['Nicholas (Google Cloud Support)' via Google App Engine]

I must apologize as this was partly incorrect.  While the roles you 
specified allow one to *Deploy a new version of the application*, one still 
cannot create an App Engine application (*gcloud app create*).  This, 
though only required one time, should be done from an account with the *Project 
Owner* role.  I hope that clarifies the confusion.

On Wednesday, February 15, 2017 at 2:46:12 PM UTC-5, Nicholas (Google Cloud 
Support) wrote:
>
> The roles you've specified (*Project Editor* and *App Engine Admin*) 
> should be sufficient to allow a given account to deploy an App Engine 
> application to your project.  The Access Control article 
> 
>  
> shows a helpful matrix of App Engine roles and the abilities they grant. 
>  You may also want to consider *App Engine Deployer* for even more 
> restrictive permissions allowing deployment only, no management of config 
> (dispatch, cron, etc) changes depending on the roles the user plays.
>
> As for the *403* encountered by said user, it may be that the member that 
> you added to the project is not the credential used by that user with they 
> ran *gcloud auth login 
> *.  They can 
> use *gcloud info * to 
> see what account the gcloud commands are being invoked from.  If they are 
> logged authenticated with gcloud using *use...@your-domain.com 
> * and *use...@your-domain.com 
> * has both *Project Editor* and *App Engine Admin* 
> roles associated with it, I'd recommend filing a new issue with on the Google 
> Cloud Platform public issue tracker 
> .  If doing 
> so, be sure to include a link to it here.  This way, I can make the issue 
> private so you can safely provide the project ID, timestamps and username 
> in question so that we can investigate this more thoroughly.
>
> On Monday, February 13, 2017 at 11:24:56 AM UTC-5, Dave Chen wrote:
>>
>> Simple question: I'm trying to setup a new project with a user to 
>> administer and deploy AppEngine applications. Ideally the user will have as 
>> limited an IAM role as possible. My first try is to give the user
>> - Project Editor
>> - AppEngine.admin
>>
>> But when running ``gcloud app create`` the return is "insufficient 
>> permissions". I've not been able to find this described in the 
>> documentation--can someone please lend a hand?
>> Thanks!
>> -dave
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/7a37e77d-e4b8-4d46-b91b-952e7619f894%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[google-appengine] Re: User permissions question

['Dave Chen' via Google App Engine]

Hi Nick, thanks very much for confirming what we had seen. Looking at the 
Access Control article it was not apparent that Project Owner was required 
for the first step.
Best,
-dave


On Monday, February 13, 2017 at 11:24:56 AM UTC-5, Dave Chen wrote:
>
> Simple question: I'm trying to setup a new project with a user to 
> administer and deploy AppEngine applications. Ideally the user will have as 
> limited an IAM role as possible. My first try is to give the user
> - Project Editor
> - AppEngine.admin
>
> But when running ``gcloud app create`` the return is "insufficient 
> permissions". I've not been able to find this described in the 
> documentation--can someone please lend a hand?
> Thanks!
> -dave
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/b0ae883a-5483-4456-bcf6-954e90a42b6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[google-appengine] Re: User permissions question

['Nicholas (Google Cloud Support)' via Google App Engine]

Agreed.  *gcloud app create* 
 under the hood 
essentially invokes *app.create* 

 
which requires very wide reaching 
*https://www.googleapis.com/auth/cloud-platform 
*scope.  I've submitted some feedback to the documentation suggesting that 
app creation requirements be mentioned on the Access Control article 

 
as it does relate to App Engine actions while requiring permissions outside 
the App Engine.

On Thursday, February 16, 2017 at 11:09:56 AM UTC-5, Dave Chen wrote:
>
> Hi Nick, thanks very much for confirming what we had seen. Looking at the 
> Access Control article it was not apparent that Project Owner was required 
> for the first step.
> Best,
> -dave
>
>
> On Monday, February 13, 2017 at 11:24:56 AM UTC-5, Dave Chen wrote:
>>
>> Simple question: I'm trying to setup a new project with a user to 
>> administer and deploy AppEngine applications. Ideally the user will have as 
>> limited an IAM role as possible. My first try is to give the user
>> - Project Editor
>> - AppEngine.admin
>>
>> But when running ``gcloud app create`` the return is "insufficient 
>> permissions". I've not been able to find this described in the 
>> documentation--can someone please lend a hand?
>> Thanks!
>> -dave
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/43088278-c256-496b-9936-cacc883796a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.