Running Google App Engine Deployment to an other Project trough CloudBuild

Question

I'm having a Project called "RnD" (with the ID: 1111111) in the Google Cloud where all Repositories and the CloudBuild Triggers are. Now i want to run a CloudBuild Trigger in the "RnD" Project which then Deploys to the App Engine in Project "X" (with the ID: 99999999). I gave the CloudBuild service Account in the "RnD" Project the following permission in Project "X":

• App Engine Admin
• Service Account User
• Project Browser

in the RnD Project App Engine is active and configured. On the RnD Project not since its not used there.

and this is my cloudbuild.yaml file:

steps:
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
  dir: 'api'
  entrypoint: 'bash'
  args: ['-c', 'gcloud config set project ${_TARGET_PROJECT_NAME} && gcloud config set app/cloud_build_timeout 1600 && gcloud app deploy ']

timeout: '1600s'

_TARGET_PROJECT_NAME is a Substitution configured on the Trigger and the value is the name of the Project "X". Running an build returns the following logs.

starting build "xxxxxxxxxx"

FETCHSOURCE
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint:   git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint:   git branch -m <name>
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/rnd/r/my_reponame
 * branch            xxxxxxxxxxxx -> FETCH_HEAD
HEAD is now at xxxxxx
BUILD
Pulling image: gcr.io/google.com/cloudsdktool/cloud-sdk
Using default tag: latest
latest: Pulling from google.com/cloudsdktool/cloud-sdk
0bc3020d05f1: Already exists
a5178f1195d4: Pulling fs layer
... blah blah
cc6c9aaa8146: Pull complete
Digest: sha256:xxxxxxxxx
Status: Downloaded newer image for gcr.io/google.com/cloudsdktool/cloud-sdk:latest
gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Updated property [core/project].
WARNING: You do not appear to have access to project [X] or it does not exist.
Updated property [app/cloud_build_timeout].
API [appengine.googleapis.com] not enabled on project [1111111]. 
Would you like to enable and retry (this will take a few minutes)? 
(y/N)?  
ERROR: (gcloud.app.deploy) User [1111111@cloudbuild.gserviceaccount.com] does not have permission to access apps instance [X] (or it may not exist): App Engine Admin API has not been used in project 1111111 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/appengine.googleapis.com/overview?project= 1111111 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
- '@type': type.googleapis.com/google.rpc.Help
  links:
  - description: Google developers console API activation
    url: https://console.developers.google.com/apis/api/appengine.googleapis.com/overview?project= 1111111
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: googleapis.com
  metadata:
    consumer: projects/1111111
    service: appengine.googleapis.com
  reason: SERVICE_DISABLED
ERROR
ERROR: build step 0 "gcr.io/google.com/cloudsdktool/cloud-sdk" failed: step exited with non-zero status: 1

Answer 1

Looks like i had to activate the "App Engine" on the RnD Project too. Which somehow makes sense the more i think about it.

In addition to that i had to give the Cloud Build Service Account in the Project "X" more permission. I did not yet figure out the minimum permission set for this Service Account. It works if i'm giving the service Account Project Owner rights (which i shouldn't i know ;) ).