Failed to fetch service account token

[i.mar...@gmail.com]

Hi, I followed this to configure a local development environment for cloud endpoints but making any request returns this:

{

   "code": 13,

   "message": "Failed to fetch service account token",

   "details": [

       {

           "@type": "type.googleapis.com/google.rpc.DebugInfo",

           "stackEntries": [],

           "detail": "internal"

       }

   ]

}

The docker container logs:

INFO:Constructing an access token with scope https://www.googleapis.com/auth/service.management.readonly

INFO:Service account email: local...@gl-beefastdelivery-dev.iam.gserviceaccount.com

INFO:Refreshing access_token

INFO:Fetching the service config ID from the rollouts service

INFO:Fetching the service configuration from the service management service

nginx: [warn] Using trusted CA certificates file: /etc/nginx/trusted-ca-certificates.crt

2019/09/12 19:57:26 [error] 10#10: connect() failed (111: Connection refused)

2019/09/12 19:57:26 [error] 10#10: connect() failed (111: Connection refused)

2019/09/12 19:57:26 [error] 10#10: connect() failed (111: Connection refused)

2019/09/12 19:57:26 [error] 10#10: connect() failed (111: Connection refused)

2019/09/12 19:57:26 [error] 10#10: connect() failed (111: Connection refused)

2019/09/12 19:57:26 [error] 10#10: connect() failed (111: Connection refused)

172.17.0.1 - - [12/Sep/2019:19:57:26 +0000] "GET /v1/deliveryRequest HTTP/1.1" 500 209 "-" "PostmanRuntime/7.16.3"

172.17.0.1 - - [12/Sep/2019:19:57:27 +0000] "GET /v1/deliveryRequest HTTP/1.1" 500 209 "-" "PostmanRuntime/7.16.3"

2019/09/12 19:57:28[error]10#10: Failed to call https://servicecontrol.googleapis.com/v1/services/ENDPOINTS_SERVICE_NAME:report, Error: FORBIDDEN: server response status code: 403, Response body:NPermission 'servicemanagement.services.report' denied for the consumer project

[libprotobuf ERROR external/servicecontrol_client_git/src/service_control_client_impl.cc:182] Failed in Report call: Service control request failed with HTTP response code 403

I get this both on Windows and Mac.

[Wayne Zhang]

It seems that the service account doesnt have enough roles to call service control services.  Please make sure it has following role

Click Select a role and select Service Management > Service Controller.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/06a2ca49-eb46-4b29-b580-6f5591ac4014%40googlegroups.com.

[Wayne Zhang]

Hmm,  but from the error code, it seems that you did not pass service account file to ESP.   What flags did you pass to ESP in your "docker run"?

[i.mar...@gmail.com]

I am using this command having in the current folder the service_accounts folder :

docker run --detach --name="esp" --publish=8082:8082 --volume=$PWD/service_accounts:/esp gcr.io/endpoints-release/endpoints-runtime:1 --service=appengine-standard-endpoints-7c7klfgvka-uc.a.run.app --rollout_strategy=managed --http_port=8082 --backend=host.docker.internal:8080 --service_account_key=/esp/service-account-creds.json

I have also tried placing my service-account-creds.json file in C:/esp and using --volume=C:/esp:/esp but I get the same result.

Having this line in the logs doesn't mean that the ESP gets the service account file? 

INFO:Service account email: local-test@gl-beefastdelivery-dev.iam.gserviceaccount.com

vineri, 13 septembrie 2019, 00:52:10 UTC+3, Wayne Zhang a scris:

Hmm,  but from the error code, it seems that you did not pass service account file to ESP.   What flags did you pass to ESP in your "docker run"?

On Thu, Sep 12, 2019 at 3:48 PM Wayne Zhang <qiwz...@google.com> wrote:

It seems that the service account doesnt have enough roles to call service control services.  Please make sure it has following role

Click Select a role and select Service Management > Service Controller.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

[i.mar...@gmail.com]

I have these roles on the service account:

Cloud Trace Agent

Service Account Token Creator

Owner

Service Management Administrator

Service Controller

vineri, 13 septembrie 2019, 00:48:39 UTC+3, Wayne Zhang a scris:

It seems that the service account doesnt have enough roles to call service control services.  Please make sure it has following role

Click Select a role and select Service Management > Service Controller.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endpoints+unsub...@googlegroups.com.

[Wayne Zhang]

ESP has two places to generate acces_token from service account file. 

1) python code: start_esp.py in this line.  Your log is from this line

2) c++ code in here.  It seems this code failed to open the file.    

You said you run in Mac. or Win.  so maybe the c++ code could not open the file but Python code could with your path.  I don't know why.  We never tested with Win or Mac.  We only tested with Linux.   

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/06a2ca49-eb46-4b29-b580-6f5591ac4014%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Google Cloud Endpoints" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-endp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-endpoints/8736d7c3-56db-4e88-86e3-a542bd4aec76%40googlegroups.com.