Python GCP-API permissions issue: compute.instances.list

[Dan Bikle]

Hello World,

I have a 5 line Python script which is failing.

GCP indicates a problem with a GCP-API permissions issue.
I'm not sure though it is telling me the truth.

Here is the Python syntax:

    import googleapiclient.discovery
    compute   = googleapiclient.discovery.build('compute', 'v1')
    project_s = 'shining-sol-241621'
    zone_s    = 'us-central1-a'
   
    result = compute.instances().list(project=project_s, zone=zone_s).execute()

The above syntax depends on this env variable setting:

    export GOOGLE_APPLICATION_CREDENTIALS=$HOME/secret.json

When I run the Python syntax I see:

    $ python3
    Python 3.5.2 (default, Nov 12 2018, 13:43:14)
    [GCC 5.4.0 20160609] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>> import googleapiclient.discovery
    >>> compute   = googleapiclient.discovery.build('compute', 'v1')
    >>> project_s = 'shining-sol-241621'
    >>> zone_s    = 'us-central1-a'
    >>> result = compute.instances().list(project=project_s, zone=zone_s).execute()
   
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/local/lib/python3.5/dist-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
        return wrapped(*args, **kwargs)
      File "/usr/local/lib/python3.5/dist-packages/googleapiclient/http.py", line 851, in execute
        raise HttpError(resp, content, uri=self.uri)
    googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/compute/v1/projects/shining-sol-241621/zones/us-central1-a/instances?alt=json returned "Required 'compute.instances.list' permission for 'projects/shining-sol-241621'">
    >>> >>>

Above, I see this msg in the error:

"Required 'compute.instances.list' permission for 'projects/shining-sol-241621'"

At this URL:

https://console.cloud.google.com/iam-admin/iam?project=shining-sol-241621

When I look at the service-account permissions attached to my secret.json file I see that I have attached these permissions to the account:

  - Compute Admin
  - Compute Instance Admin (beta)
  - Compute Instance Admin (v1)
  - Compute Viewer
  - Security Admin
  - Owner

When I attached permissions to the service-account, I saw no permission available which looked like:
'compute.instances.list'

I did note that the Compute Admin permission has this description:

"Full control of all Compute Engine resources"

That description suggests to me that the permission should be able to do: 'compute.instances.list'

I am suspicious that GCP is telling me that I have a permissions problem but the problem is somewhere else.

Based on my description, what would be some good yes/no questions to ask in order to move past this bad API behavior?

[Dan Bikle]

I was able to fix this problem after I assumed that the GCP server was caching bad info.

I created a service account with a name I had not used in the past.

I gave it just one permission: Project - Owner

I asked it to create a JSON-key.

I copied the key into $HOME/secret.json

I issued shell command:

    export GOOGLE_APPLICATION_CREDENTIALS=$HOME/secret.json

I tried my 6 lines of Python:

    $ python3
    Python 3.5.2 (default, Nov 12 2018, 13:43:14)
    [GCC 5.4.0 20160609] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>>
    >>>
    >>> import googleapiclient.discovery
    >>> compute   = googleapiclient.discovery.build('compute', 'v1')
    >>> project_s = 'shining-sol-241621'
    >>> zone_s    = 'us-central1-a'
    >>> result = compute.instances().list(project=project_s, zone=zone_s).execute()

    >>> result['items'][0]['status']
    'RUNNING'
    >>>
    >>>

As you can see, it worked.
Yay!