Credential error during agent builder deployment

I was following this tutorial : https://cloud.google.com/vertex-ai/generative-ai/docs/agent-engine/deploy#before_you_begin to deploy an agent.

During deployment, the logs show this error : google.api_core.exceptions.PermissionDenied: 403 Permission ‘resourcemanager.projects.get’ denied on resource ‘//cloudresourcemanager.googleapis.com/projects/MY_PROJECT_ID’ (or it may not exist). [reason: “IAM_PERMISSION_DENIED]”

I understand from this page :
https://cloud.google.com/vertex-ai/generative-ai/docs/agent-engine/set-up#service-agent that GCP uses this SA: service-PROJECT_NUMBER@gcp-sa-aiplatform-re.iam.gserviceaccount.com for agent deployment. So my guess is this SA is missing the roles/browser role. There were no modification of this SA from the project creation.

• Is it normal that a Google-managed SA is missing some roles for its own task-purpose ?
• Is it possible to specify the SA to use during deployment instead of the defaut one (service-PROJECT_NUMBER@gcp-sa-aiplatform-re.iam.gserviceaccount.com) ?

Thanks in advance !

Hi @vesran ,

Welcome to Google Cloud Community!

The “PermissionDenied” error encountered during Vertex AI Agent Engine deployment, specifically ‘resourcemanager.projects.get’ permission denied on resource ‘//cloudresourcemanager.googleapis.com/projects/MY_PROJECT_ID’, is most likely caused by the identity you are using to initiate the deployment (your user account or the service account you are authenticated as, e.g., via Cloud Console) lacking the ‘resourcemanager.projects.get’ permission on the specified project.

Regarding whether it’s normal for a Google-managed Service Account to be missing roles for its own task-purpose: Generally, no, this is not normal. Google-managed service agents are automatically provisioned by Google with specific IAM roles (e.g., “Vertex AI Service Agent”) designed to give them the necessary permissions for their designated functions. The role assigned to the Vertex AI Google-managed Service Account provides permissions for the Vertex AI service itself to carry out backend deployment operations and manage the agent, not for your identity to initiate the deployment call.

Moreover, concerning specifying a different service account for deployment: The “service-PROJECT_NUMBER@gcp-sa-aiplatform-re.iam.gserviceaccount.com” account is a Google-managed service account that is automatically used by Vertex AI. As of now, you cannot specify a different service account for internal Vertex AI tasks, including agent engine deployments, because the platform is designed to use this specific service account.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.