Menu

#GTMTips: Setup IAM for Manual Installation of Server-Side GTM

Installing a server-side Google Tag Manager instance on a custom App Engine deployment requires some permissions and Service Account configuration to properly work.
Simo Ahava in GTM Tips on #google tag manager , #gtmtips , #server-side tagging , #google cloud platform , #app engine Non-AMP version

If you want to manually install server-side Google Tag Manager on App Engine in the Google Cloud Platform, you are of course welcome to do so.

The main benefits of doing this are that you get to choose the region where App Engine is deployed and that you can use existing project resources instead of having a new project automatically created for you.

However, to run the script without errors, there are a number of things you need to enable first. In this article, I’ll walk you through the required permissions.

It’s tempting to just use Project Editor or even Project Owner rights everywhere, but sometimes you need more granularity. This article will walk you through the bare minimum permissions and services that need to be enabled for the manual deployment to work.

Tip 131: Setup IAM for manual deployment of server-side GTM

For the manual deployment script to actually work in a Cloud Shell Instance, you need to run through the following steps first.

[Project Owner] 1. Create an App Engine application.

The Project Owner should first go to the App Engine console and create an App Engine application. If an application has already been created, you can skip this step. When creating the application, you need to choose a region for the application.

Be careful when choosing the region. The project is stuck with this region for its entire lifetime. If you ever want to change the region, you need to create a new project.

By creating the application, the App Engine Default Service Account is also created.

[Project Owner] 2. Enable the Compute Engine API.

The Project Owner needs to go to the Compute Engine API page and enable the API. This creates the Compute Engine Default Service Account.

[Project Owner] 3. Enable the Cloud Deployment Manager V2 API.

The Project Owner needs to go to the Cloud Deployment Manager V2 API page and enable the API. This is required for the script to run its automated processes.

[User who runs the script] 4. Add the following roles.

The user who’s going to run the deployment script in Cloud Shell needs the following roles added to them in IAM, ideally by the Project Owner:

roles/appengine.appAdmin
roles/iam.serviceAccountUser
roles/cloudbuild.builds.editor
roles/storage.objectAdmin

To find the corresponding roles in the GCP UI, you can use the following image as guidance:

Once you have completed these four steps, you should be able to run the deployment script without issue using the user login from step (4).