Help with identifying the authentication error in

[Shan P S]

I am trying to invoke the Blogger AP from a Google Cloud Function. I am referring to the docs here - https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_compute_engine_kubernetes_engine_app_engine_flexible_environment_and_cloud_functions

The doc says that the default credentials are available in the Cloud Function. I am able to run the given example to get the list of buckets.

But when I call a sample code from the Blogger API with the same credentials it fails with "Encountered 403 Forbidden with reason "insufficientPermissions" error.

Please help me identify why the first part of this code works and the second part fails.

def explicit_compute_engine():    from google.auth import compute_engine
    import googleapiclient.discovery
    #PART I
    credentials = compute_engine.Credentials()
    storage_client = googleapiclient.discovery.build(
        'storage', 'v1', credentials=credentials)
    print('before buckets')
    buckets = storage_client.buckets().list(project='<MY project Id here>').execute()
    print(buckets)

    #PART II (fails)
    credentials = compute_engine.Credentials()
    blogger = googleapiclient.discovery.build(
        'blogger', 'v3', credentials=credentials)
    print(blogger)
    blogs = blogger.blogs()
    blog = blogs.get(blogId='<BLOG ID here>', maxPosts=2).execute()
    #Error "Encountered 403 Forbidden with reason "insufficientPermissions" here
    print(str(blog))

[Julie (cloud platform support)]

Thanks for reporting this. It seems you are trying to use Application Default Credentials to set the  default service account to authenticate between services. To clarify be default GCE service accounts have the Cloud IAM project editor role so please check if that is still the cause or if it has been modified. I can see you are using Compute Engine credentials which is recommended to explicitly state the credentials being used. In terms of Blogger API, it doesn't appear to be directly supported by GCP but if the issue is with the API then this Blogger Community forum can be used to discuss authorization for the API.