problem with GoogleCredentials.get_application_default()

401 views
Skip to first unread message

Jaroslav Grešula

unread,
Apr 26, 2016, 1:17:38 PM4/26/16
to gce-discussion
Hello,

I run some Python code on Google Compute Engine. The code uses the TaskQueue API and the queue is configured to allow writes from the GCE default service account.

In my code I create credentials via GoogleCredentials.get_application_default(). When I call the TaskQueue API, it fails with HTTP 403 "Insufficient Permission". 

When I set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the service account key file, the same code authorizes successfully.

If I understand correctly, GOOGLE_APPLICATION_CREDENTIALS shouldn't be needed if the code runs on GCE. Do you have any idea why it doesn't work without GOOGLE_APPLICATION_CREDENTIALS? What should I check?

Thank you,
Jarda

George

unread,
Apr 26, 2016, 7:48:10 PM4/26/16
to gce-discussion
Hello Jarda,

Please make sure that the VM instance has the TaskQueue API scope enabled. You can verify the scopes by running the following command:

gcloud compute instances describe AFFECTED_INSTANCE_NAME

Under "scopes", the following should be present : "https://www.googleapis.com/auth/taskqueue". You can have more information on setting up an instance scope, in this Help Center article.

I hope this helps.

Sincerely,
George

Jaroslav Grešula

unread,
Apr 27, 2016, 2:56:23 AM4/27/16
to gce-discussion
Hello George,

Thank you for the response. The scope of the VM seems to be sufficient:

$ gcloud compute instances describe my-instance
[..]
serviceAccounts:
  scopes:

The same credentials work correctly with the Storage API but fail with the TaskQueue API.

Here is the queue definition:
# queue.yaml
queue:
  - name: test-queue
    mode: pull
    acl:

Do you have any other idea what could be wrong or what should I check?

Thank you,
Jarda

George

unread,
Apr 28, 2016, 3:54:26 PM4/28/16
to gce-discussion
Hello Jarda,

Is it possible to try it from a different instance where you manually enable all the needed scopes including the task-queue scope? 

Looking forward to your reply.

Sincerely,
George


On Wednesday, April 27, 2016 at 2:56:23 AM UTC-4, Jaroslav Grešula wrote:
Hello George,

Thank you for the response. The scope of the VM seems to be sufficient:

$ gcloud compute instances describe my-instance
[..]
serviceAccounts:
  scopes:

The same credentials work correctly with the Storage API but fail with the TaskQueue API.

Here is the queue definition:
# queue.yaml
queue:
  - name: test-queue
    mode: pull
    acl:

David McWherter

unread,
Apr 28, 2016, 3:56:24 PM4/28/16
to George, gce-discussion
What permissions does 1188160496...@developer.gserviceaccount.com have on the project?

On Thu, Apr 28, 2016 at 12:54 PM 'George' via gce-discussion <gce-dis...@googlegroups.com> wrote:
Hello Jarda,

Is it possible to try it from a different instance where you manually enable all the needed scopes including the task-queue scope? 

Looking forward to your reply.

Sincerely,
George


On Wednesday, April 27, 2016 at 2:56:23 AM UTC-4, Jaroslav Grešula wrote:
Hello George,

Thank you for the response. The scope of the VM seems to be sufficient:

$ gcloud compute instances describe my-instance
[..]
serviceAccounts:
  scopes:

The same credentials work correctly with the Storage API but fail with the TaskQueue API.

Here is the queue definition:
# queue.yaml
queue:
  - name: test-queue
    mode: pull
    acl:

Do you have any other idea what could be wrong or what should I check?

Thank you,
Jarda

On Wednesday, April 27, 2016 at 1:48:10 AM UTC+2, George wrote:
Hello Jarda,

Please make sure that the VM instance has the TaskQueue API scope enabled. You can verify the scopes by running the following command:

gcloud compute instances describe AFFECTED_INSTANCE_NAME

Under "scopes", the following should be present : "https://www.googleapis.com/auth/taskqueue". You can have more information on setting up an instance scope, in this Help Center article.

I hope this helps.

Sincerely,
George

On Tuesday, April 26, 2016 at 1:17:38 PM UTC-4, Jaroslav Grešula wrote:
Hello,

I run some Python code on Google Compute Engine. The code uses the TaskQueue API and the queue is configured to allow writes from the GCE default service account.

In my code I create credentials via GoogleCredentials.get_application_default(). When I call the TaskQueue API, it fails with HTTP 403 "Insufficient Permission". 

When I set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the service account key file, the same code authorizes successfully.

If I understand correctly, GOOGLE_APPLICATION_CREDENTIALS shouldn't be needed if the code runs on GCE. Do you have any idea why it doesn't work without GOOGLE_APPLICATION_CREDENTIALS? What should I check?

Thank you,
Jarda

--
© 2016 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/aa9a070c-92ce-4167-b247-8457c006ae14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jaroslav Grešula

unread,
Apr 28, 2016, 4:41:29 PM4/28/16
to gce-discussion
Hello George,

Explicitly enabling the task-queue scope on an instance resolves the problem. I thought that <https://www.googleapis.com/auth/cloud-platform> grants full API access to all services, including the task queue. Is this a bug or is it intentional?

Thank you for your help,
Jarda


On Thursday, April 28, 2016 at 9:54:26 PM UTC+2, George wrote:
Hello Jarda,

Is it possible to try it from a different instance where you manually enable all the needed scopes including the task-queue scope? 

Looking forward to your reply.

Sincerely,
George

On Wednesday, April 27, 2016 at 2:56:23 AM UTC-4, Jaroslav Grešula wrote:
Hello George,

Thank you for the response. The scope of the VM seems to be sufficient:

$ gcloud compute instances describe my-instance
[..]
serviceAccounts:
  scopes:

The same credentials work correctly with the Storage API but fail with the TaskQueue API.

Here is the queue definition:
# queue.yaml
queue:
  - name: test-queue
    mode: pull
    acl:

Jaroslav Grešula

unread,
Apr 28, 2016, 4:45:04 PM4/28/16
to gce-discussion, gra...@google.com
Hello David,

On Thursday, April 28, 2016 at 9:56:24 PM UTC+2, David Mcwherter wrote:
What permissions does 1188160496...@developer.gserviceaccount.com have on the project?

It is a Compute Engine default service account for the project.

Regards,
Jarda 

George

unread,
Apr 29, 2016, 10:50:47 AM4/29/16
to gce-discussion
Hello Jarda,

Thank you for providing this extra information. 

Having the Cloud Platform scope should grant full API access on the instance, however this wasn't the case in the issue you were encountering. I will go ahead and forward this issue to our engineering team for review and I will provide you with updates about it once I have it.

Sincerely,
George

George (Google Cloud Support)

unread,
May 5, 2016, 12:25:51 PM5/5/16
to gce-discussion
Hello Jarda,

Our engineering team is aware of the issue and is working on fixing it as soon as possible. However, I can't provide you with an ETA for the fix. You can star the following Public Issue Tracker in order to receive updates about it.

Sincerely,
George
Reply all
Reply to author
Forward
0 new messages