Several factors can cause deployment errors in App Engine,including missing permissions, changes to organization policies, and issues in your appconfiguration.

This page describes the following common deployment errors inApp Engine and methods to troubleshoot them:

• Permission errors
• Common deployment errors

Permission errors

This section describes errors that might occur when you deploy your app due tomissing account permissions or changes to organization policies.

To identify the active account you use to access Google Cloud CLI and other tools in the Google Cloud Platform, do one of the following:

• If you used the Google Cloud CLI to deploy, run thegcloud auth list command.

• If you deployed from an IDE, view the settings for the Cloud Tools plugin.

To learn why assigning only the App Engine Deployer(roles/appengine.deployer) role might not be sufficient in some cases, seeApp Engine roles.

For more information about granting roles, seeManage access to projects, folders, and organizations.

Deployment fails for new projects

You might see the following error when you deploy your app for the first time ina new project:

ERROR: (gcloud.app.deploy) Error Response: [13] Failed to create cloud build: com.google.net.rpc3.client.RpcClientException:..........invalid bucket "staging.PROJECT_ID.appspot.com"; service accountPROJECT_ID@appspot.gserviceaccount.com does not have access to the bucket

To resolve this issue, grant theStorage Admin (roles/storage.admin) role to thedefault service account. For more information, seeStore build logs in a user-created bucket.

If you have already granted the Storage Admin role, along with the otherrequired roles based on different permission errors you encounter during deployment,and are still unable to deploy your app, it might be due to the followingchanges to organization policies:

• As of May 2024, Google Cloud enforcessecure-by-default organization policies for all organizationresources. This policy prevents App Engine from granting theEditor roleto the App Engine default service accounts.

• In June 2024, Cloud Build changed the default behavior forhow Cloud Build uses service accounts in new projects. This isdetailed inCloud Build service account change. As a result of this change,new projects deploying versions for the first time might be using the defaultApp Engine service account withinsufficient permissions for deploying versions.

To resolve this issue, do the following:

• Grant theEditor role to the App Enginedefault service account (PROJECT_ID@appspot.gserviceaccount.com).

• Review the Cloud Build guidance on changes to the default service accountandopt out of the default changes in new projects.

The caller doesn't have permission to access project

The following error occurs if the service account doesn't have permission todeploy apps in the current project:

UserEMAIL_ADDRESS does not have permission to access projectPROJECT_ID (or it may not exist).

To resolve this issue, grant theApp Engine Deployer (roles/appengine.deployer) roleto the service account.

Failed to fetch metadata from the registry

The following error occurs if you use thegcloud app deploy command from a serviceaccount that doesn't have theStorage Admin (roles/storage.admin) role:

Failed to fetch metadata from the registry, with reason: generic::permission_denied

To resolve this issue, grant the Storage Admin role to the service account.

Service accounts must have permissions on the image

The following error occurs when you deploy your app:

The App Engine appspot and App Engine flexible environment service accounts musthave permissions on the imageIMAGE_NAME

This error occurs due to one of the following reasons:

• The default App Engine service account doesn't have theStorage Object Viewer (roles/storage.objectViewer) role.

  To resolve this issue, grant theStorage Object Viewer roleto the service account.

• Your project has aVPC Service Controls service perimeterthat limits access to the Cloud Storage API using access levels.

  To resolve this issue, add the service account you use to deploy your app tothe corresponding VPC Service Controls service perimeteraccessPolicies.

• After May 15, 2024, Artifact Registry hosts images for thegcr.io domain in Google Cloud projects without previous Container Registry usage. If you deploy an existing application in a new project created after this date, the service account might not have the required permissions to deploy the app. To grant the required permissions, seeDeploying to App Engine.

Failed to create Cloud Build

The following error occurs if you use thegcloud app deploy command from a serviceaccount that doesn't have the Cloud Build Editor (roles/cloudbuild.builds.editor) role.

Failed to create cloud build: Permission denied

To resolve this issue, grant theCloud Build Editor role tothe service account.

Error fetching application

The following error occurs when the service account that you used to deploy yourapp doesn't have theApp Engine Deployer role.

Permissions error fetching applicationapps/app_name. Please make sure you are using the correct project ID and that you have permission to view applications on the project.If you are running Google Cloud CLI version 328 or later, the following error occurswhen you deploy your app:make sure that you have permission to view applications on the project and thatSERVICE_ACCOUNT has the App Engine Deployer (roles/appengine.deployer) role.

To resolve this issue, grant the App Engine Deployer role to the serviceaccount that you used to deploy your app.

Error when deploying a service with a Serverless VPC Access connector

The following error occurs when the user or service account that is trying todeploy the app with a Serverless VPC Access connector doesn't have the required permissions:

Please ensure you have [compute.globalOperations.get] on the service project

To resolve this issue, ensure that the user or service account used for deploymenthas theServerless VPC Access UserandCompute Viewer IAM roles.

Timed out waiting for the app infrastructure to become healthy

The following error occurs when you deploy your app:

Timed out waiting for the app infrastructure to become flex_await_healthy

Various factors can cause this error, such as missing permissions, code errors,insufficient CPU or memory, or failed health checks.

To resolve this issue, rule out the following potential causes:

1. Check whether the organization policy for your project restricts access toexternal IP addresses. For more information, seeApp Engine flexible environment known issues.

2. Verify that you have granted the following roles to the service account thatyou use to run your application (usually the default service account,app-id@appspot.gserviceaccount.com):

   • Editor (roles/editor)

   • Storage Object Viewer (roles/storage.objectViewer)

   • Logs Writer (roles/logging.logWriter)

3. Grant the remaining roles based on your deployment errors, if the service account doesn't have them.

4. If you deploy in a Shared VPC setup and configure aninstance_tag inyourapp.yaml file, seeInvalid value error when deploying in a Shared VPC setup to fix the issue.

Error when restarting instances under running versions

The following error occurs when you deploy your app:

error when restarting the instance under the running versions

As of May 2024, Google Cloud enforces thesecure-by-default organization policies for all new organizations.This policy requires all VM instances created in new projects to enableVM Manager.For new and existing projects, this constraint prevents metadata updates thatdisable VM Manager at the project or instance level.

To resolve this issue, you mustdisable the organization policy constraintRequire OS Config (constraints/compute.requireOsConfig).

If this issue continues to persist, you must also disable the following organizationpolicies that might have been enabled at the project or the organization level:

• Define allowed external IPs for VM instances (constraints/compute.vmExternalIpAccess). If your applicationis setup to only useprivate networking,you don't have to disable this constraint.

• Disable Guest Attributes of Compute Engine metadata (constraints/compute.disableGuestAttributesAccess)

Requiredcompute.firewalls.list permission

The following error occurs when you deploy your appon a Shared VPC network:

Request to https://compute.googleapis.com/compute/v1/projects/projects/PROJECT_ID/global/firewalls?key failed, details: Required 'compute.firewalls.list' permission for 'projects/PROJECT_ID'

This error occurs if the following service accounts for thehost projectdon't have the Compute Network User (roles/compute.networkUser) role:

• Google APIs Service Agent
• App Engine flexible environment Service Agent

To resolve this issue, grant theCompute Network User role to theGoogle APIs Service Agent and App Engine flexible environment Service Agentservice accounts for the host project.

Deployment fails due to an organization policy constraint

The following error occurs when you deploy an app:

ERROR: (gcloud.app.deploy) Error Response: [13] An internal error occurred while processing task /app-engine-flex/....: Request to https://compute.googleapis.com/compute/VERSION/projects/PROJECT_ID/... failed, details: Constraint constraints/compute.disableGuestAttributesAccess violated for projectPROJECT_ID.

This might be due to the enforcement of theconstraints/compute.disableGuestAttributesAccess constraint when deploying yourapp. All apps in the App Engine flexible environment enforce this organization policy by default.

To resolve this issue, you mustdisable theconstraints/compute.disableGuestAttributesAccess constraint.

Common deployment errors

This section describes troubleshooting strategies for configuration errors in your app or project.

Invalid value error when deploying in a Shared VPC setup

The following error shows in Cloud Logging for flexible VM instances when youdeploy your app:

Invalid value for field 'resource.tags.items[1]': 'aef-instance'. Duplicatetags are not allowed: aef-instance on compute.instances.insert

This is a known issue where setting theinstance_tagin yourapp.yaml file results in errors when creating instances.

To resolve the issue, remove theinstance_tag field from yourapp.yaml file and redeploy.

Exceed the limit on maximum instances

The following error occurs when you deploy your app:

You may not have more than 'xx' total max instances in your project.

There is alimit for the maximum number of instances you can create per project.Requests to create additional instances fail if you exceed this limit.

To resolve this issue, set the value ofmax_instances in yourapp.yaml file to a value less thanthis limit or delete some services or versions to bring the sum ofmax_instances within the limit.

Build during deployment fails without errors in logs

The following error occurs when you deploy your app:

ERROR: (gcloud.app.deploy) Cloud build failed. Check logs at https://console.cloud.google.com/cloud-build/builds/BUILD_ID?project=PROJECT_NUMBER Failure status: UNKNOWN: Error Response: [2] Build failed; check build logs for details

If you click the link in the error message and find that all build steps weresuccessful, but the app still failed to build, it might be due to either ofthe following reasons:

• You usecustomer-managed encryption keys (CMEK).
• You set up adata retention policy for yourstaging.PROJECT_ID.appspot.com bucket.

To resolve this issue, change the following settings for your bucket:

• Set encryption toGoogle-owned and Google-managed encryption keys.
• Remove theretention policy.

Errors when deploying to an existing App Engine version

The following error might occur when deploying to an existing version in theApp Engine flexible environment:

ERROR: (gcloud.app.deploy) Error Response: [9] An internal error occurred whileprocessing task /app-engine-flex/flex_await_healthy/flex_await_healthy

This error indicates that updating an unhealthy deployment with aworking Docker image doesn't always result in a healthy deployment. The outcomedepends on the state of instances from the unhealthy deployment.Despite the error, if you provide a good Docker image, the deployment mighteventually become healthy. Updating an existing version with a new Docker image,though allowed, is not a good practice. There is no rollback in case of versionfailure.

Internal IP error when deploying in a Shared VPC setup

The following error might occur when deploying to a Shared VPC networksetup in a service project where the default private IP address setting(private-ranges-only) is used.

ERROR: (gcloud.app.deploy) Error Response: [13] An internal error occurred.

This error might indicate that the App Engine flexible environment Service Agent in the hostproject of the Shared VPC is not available. Either the App Engine flexible environmentService Agent is removed or the App Engine API is not enabled in the hostproject.

To resolve this issue:

1. Enable the App Engine API in the host project of the Shared VPCnetwork.
2. If the App Engine API is enabled, the App Engine flexible environment Service Agent doesn'texist in the project. Refer toRestore required role for the service agent.

Deployment failure due to lack of connectivity to Google APIs

The following error occurs when you deploy your app:

Your deployment has failed to become healthy in the allotted time and therefore was rolled back. If you believe this was an error, try adjusting the app_start_timeout_sec setting in the readiness_check section.

To resolve this issue, ensure that the VPC associated with your application has alocal static route with the0.0.0.0/0 destination and a default internet gateway next hop. If you useprivate internal-only services, then enable PGA on the selected subnet.