Subject: Help Needed: Blocked from deploying to Google App Engine
Message:
Hello,
I am trying to deploy a web application to Google App Engine for the project svhetkasteel-test-deploy.
The deployment keeps failing due to a security policy constraint. The error message is: "Constraint 'constraints/gcp.restrictNonCmekServices' violated ... status: FAILED_PRECONDITION"
This policy requires that all services use a Customer-Managed Encryption Key (CMEK), but my App Engine deployment is not configured for that.
Could you please help me? The options seem to be:
Adjusting the restrictNonCmekServices policy for my project.
Helping me configure a CMEK for my App Engine application.
Do you have the owner role on your Google Cloud Platform (GCP)? If so, you can change the policy for your use case in GCP. Otherwise you can request the account owner to make this adjustment for you.
I am the owner, I tried to change the policy. Also with help from gemini. I don’t get it solved, it is some kind of loop.
--location=global \
--keyring=my-app-engine-keyring \
--purpose=encryption \
--project=firestudio
API [cloudkms.googleapis.com] not enabled on project [174779284025]. Would you like to enable and retry (this will take a few minutes)? (y/N)?
ERROR: (gcloud.kms.keys.create) PERMISSION_DENIED: Cloud Key Management Service (KMS) API has not been used in project 174779284025 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=174779284025 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry. This command is authenticated as deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: googleapis.com
metadata:
activationUrl: https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=174779284025
consumer: projects/174779284025
containerInfo: '174779284025'
service: cloudkms.googleapis.com
serviceTitle: Cloud Key Management Service (KMS) API
reason: SERVICE_DISABLED
- '@type': type.googleapis.com/google.rpc.LocalizedMessage
locale: en-US
message: Cloud Key Management Service (KMS) API has not been used in project 174779284025
before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=174779284025
then retry. If you enabled this API recently, wait a few minutes for the action
to propagate to our systems and retry.
- '@type': type.googleapis.com/google.rpc.Help
links:
- description: Google developers console API activation
url: https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview?project=174779284025
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$ gcloud kms keys create my-app-engine-key --location=global --keyring=my-app-engine-keyring --purpose=encryption --project=firestudio
API [cloudkms.googleapis.com] not enabled on project [174779284025]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y
Enabling service [cloudkms.googleapis.com] on project [174779284025]...
Operation "operations/acat.p2-174779284025-2c9d8bdf-75ed-4e99-8280-9b0278180b56" finished successfully.
ERROR: (gcloud.kms.keys.create) PERMISSION_DENIED: Permission 'cloudkms.cryptoKeys.create' denied on resource 'projects/firestudio/locations/global/keyRings/my-app-engine-keyring/cryptoKeys/my-app-engine-key' (or it may not exist). This command is authenticated as deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com which is the active account specified by the [core/account] property.
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$ gcloud projects add-iam-policy-binding firestudio \
--member="serviceAccount:deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com" \
--role="roles/cloudkms.admin"
API [cloudresourcemanager.googleapis.com] not enabled on project [174779284025]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y
Enabling service [cloudresourcemanager.googleapis.com] on project [174779284025]...
Operation "operations/acat.p2-174779284025-a8065f47-3f5e-480d-82f6-01fa40b8cff8" finished successfully.
ERROR: (gcloud.projects.add-iam-policy-binding) [deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com] does not have permission to access projects instance [firestudio:getIamPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com which is the active account specified by the [core/account] property
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$ gcloud auth login
# Follow the browser instructions to log in with your administrative account
You are running on a Google Compute Engine virtual machine.
It is recommended that you use service accounts for authentication.
You can run:
$ gcloud config set account `ACCOUNT`
to switch accounts if necessary.
Your credentials may be visible to others with access to this
virtual machine. Are you sure you want to authenticate with
your personal account?
Do you want to continue (Y/n)? Y
Go to the following link in your browser, and complete the sign-in prompts:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fsdk.cloud.google.com%2Fauthcode.html&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=JhMtzvV3kYgwZGmcar7ZLqdEZ69t5j&prompt=consent&token_usage=remote&access_type=offline&code_challenge=-D_KQ8ib-BiPn-S-6it-7Y_qAOsKaaX2ot3pFi0clVg&code_challenge_method=S256
Once finished, enter the verification code provided in your browser: xfgsPmIMVZx1oQ.......
You are now logged in as [hzhenk@gmail.com].
Your current project is [svhetkasteel-test-deploy]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
To take a quick anonymous survey, run:
$ gcloud survey
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$ gcloud projects add-iam-policy-binding firestudio \
--member="serviceAccount:deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com" \
--role="roles/cloudkms.admin"
ERROR: (gcloud.projects.add-iam-policy-binding) [hzhenk@gmail.com] does not have permission to access projects instance [firestudio:getIamPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as hzhenk@gmail.com which is the active account specified by the [core/account] property
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$ gcloud projects add-iam-policy-binding firestudio \
--member="user:henk@gmail.com" \
--role="roles/owner"
ERROR: (gcloud.projects.add-iam-policy-binding) [hzhenk@gmail.com] does not have permission to access projects instance [firestudio:getIamPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as hzhenk@gmail.com which is the active account specified by the [core/account] property
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$ gcloud projects add-iam-policy-binding firestudio \
--member="serviceAccount:deploy-sa@svhetkasteel-test-deploy.iam.gserviceaccount.com" \
--role="roles/cloudkms.admin"
ERROR: (gcloud.projects.add-iam-policy-binding) [hzhenk@gmail.com] does not have permission to access projects instance [firestudio:getIamPolicy] (or it may not exist): The caller does not have permission. This command is authenticated as hzhenk@gmail.com which is the active account specified by the [core/account] property
svhetkasteel-comp-96840480:~/svhetkasteel-comp{main}$
type or paste code here
Just to be sure, are you attempting to change the policy in Google Cloud Platform and are you using Gemini AI in Google Cloud or are you trying to change the policy by prompting the AI in Firebase Studio?