Troubleshoot App Engine serving issues

The following sections cover app initialization and serving errors.

Permission error when creating an app with the default service account

When you create an app after enabling the App Engine API for the first time, it fails with the following errors:

gcloud CLI 

An internal error occurred while calling service consumer manager for service account.
Creating  App Engine application in project [PROJECT__ID] and [REGION]....failed. DEBUG: (gcloud.app.create) Error Response: [13] an internal error has occurred

Request logs 

Service account creation is not allowed on this project.

Console 

Error while initialising App Engine.

This error can occur due to the enforcement of the organization policy constraint constraints/iam.disableServiceAccountCreation when creating your app. This policy prevents the provisioning of the App Engine default service account PROJECT_ID@appspot.gserviceaccount.com.

To resolve this issue, you must temporarily remove the organization policy constraint constraints/iam.disableServiceAccountCreation to allow for the creation and deployment of the App Engine default service account. The default service account is necessary for app creation and can't be skipped. This is also applicable when you use a per-version service account. The App Engine default service account can then be deleted or replaced with a service account that you create after successful deployment.

If you are using a service account that you created, review the Overview of role recommendations to understand how to enforce restricting permissions, such as providing a token creator role on the service account you create for the service agent.

Security errors when using legacy bundled services for Python

If you use a legacy bundled services API when a Python 3 app is starting up, you might see the following error message:

Attempted RPC call without active security ticket

This error can occur in scenarios such as reading certain values from Memcache when your app is starting to configure a database connection or set a global variable.

To resolve this issue, you could try moving such logic into a warmup request.