Bug P2
Status Update
No update yet.
Comments
ja...@google.com
Hey! could you share the following details?, please:
- App Engine region?, i/e:
us-central1,us-east1, etc... - how are you creating tasks?: i/e:
- Cloud SDK:
gcloud tasks create-http-task - Client Library; if so, confirm language and version
- Directly using an HTTP client ( i/e:
curl) and the REST API endpoint.
- minimal sample/repro of code that reproduces the error.
an...@ingenerator.com
Hi,
- App Engine region is europe-west2, Cloud Tasks queues are also running in europe-west2
- With the google/cloud-tasks PHP SDK, version 1.14.6
- Trying to create a repro sample today, I was not able to trigger the error. I then tried removing the temporary custom role with appengine.applications.get from one of our production service accounts and verified it did not get the error either.
So it looks like potentially whatever change was introduced to Tasks/AppEngine/IAM on Monday evening has already been reverted / corrected?
an...@redso.com.hk
I have been dispatching Cloud Tasks ("@google-cloud/tasks": "5.4.0") on GKE for several years and things work fine until recently. Tried the workaround given by OP on July 29 by granting App Engine Viewer to my GKE service account. It works for a while but today the error happened again.
7 PERMISSION_DENIED: App Engine targets require "appengine.applications.get" IAM permission (https://cloud.google.com/appengine/docs/admin-api/access-control) and the API_CLOUD_PLATFORM scope (https://www.googleapis.com/auth/cloud-platform). Error: 7 PERMISSION_DENIED: App Engine targets require "appengine.applications.get" IAM permission (https://cloud.google.com/appengine/docs/admin-api/access-control) and the API_CLOUD_PLATFORM scope (https://www.googleapis.com/auth/cloud-platform).
at callErrorFromStatus (/app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/call.ts:82:17)
at Object.onReceiveStatus (/app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/client.ts:360:55)
at Object.onReceiveStatus (/app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/client-interceptors.ts:458:34)
at Object.onReceiveStatus (/app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/client-interceptors.ts:419:48)
at /app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/resolving-call.ts:163:24
at processTicksAndRejections (internal/process/task_queues.js:77:11)
for call at
at ServiceClientImpl.makeUnaryRequest (/app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/client.ts:325:42)
at ServiceClientImpl.<anonymous> (/app/node_modules/@google-cloud/tasks/node_modules/@grpc/grpc-js/src/make-client.ts:189:15)
at /app/node_modules/@google-cloud/tasks/build/cjs/src/v2/cloud_tasks_client.cjs:275:25
at /app/node_modules/@google-cloud/tasks/node_modules/google-gax/build/src/normalCalls/timeout.js:44:16
at OngoingCallPromise.call (/app/node_modules/@google-cloud/tasks/node_modules/google-gax/build/src/call.js:67:27)
at NormalApiCaller.call (/app/node_modules/@google-cloud/tasks/node_modules/google-gax/build/src/normalCalls/normalApiCaller.js:34:19)
at /app/node_modules/@google-cloud/tasks/node_modules/google-gax/build/src/createApiCall.js:112:30
Now I can only temporarily solve the issue by restarting pods whenever I see the error.
Description
Problem you have encountered:
We use Cloud Tasks to queue and execute HTTP target tasks.
As of approximately 2024-07-22 21:07 UTC all our task creation attempts in one of our projects have been failing with a
PERMISSION_DENIEDand the messageFailed to create cloud task: App Engine targets require "appengine.applications.get" IAM permission (https://cloud.google.com/appengine/docs/admin-api/access-control) and the API_CLOUD_PLATFORM scope (https://www.googleapis.com/auth/cloud-platform).Nothing has changed in our code or system / GCP configuration.
Our tasks are created by service accounts with (only) the standard
Cloud Tasks EnqueuerRole. This has previously been sufficient to create an HTTP target task.If I add a custom role with just
appengine.applications.getand grant this to our service account, the error appears to be resolved and task creation resumes normally.So far, this is only happening in one GCP project (across 2 queues with 2 separate service accounts). Our queues in other projects do not currently seem to be affected.
The affected project has AppEngine enabled for historical reasons, but does not have any running AppEngine services / configuration / etc. Our other projects do not have AppEngine enabled.
What you expected to happen:
The Cloud Tasks Enqueuer role should be sufficient to create tasks with an HTTP target, as it was until yesterday evening.
Steps to reproduce:
Based on observations of our running setup, I believe the following should reproduce the issue:
Other information (workarounds you have tried, documentation consulted, etc):
As noted above, granting the
appengine.applications.getpermission seems to resolve the permissions error, however I do not believe that this permission should be required for an HTTP target task (and if it is, it should be included inCloud Tasks Enqueuer)