gcloud 128 broke the app engine remote shell

248 views
Skip to first unread message

Evan Jones

unread,
Nov 8, 2016, 1:29:05 PM11/8/16
to Google App Engine
To fix it, you need to run:

gcloud auth application-default login --scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email



It would be really great if this could be made the default, or at least documented in the App Engine docs, since I had to reverse engineer this from a working token written by the old version of the command.



See http://stackoverflow.com/questions/40349915/appengine-remote-api-shell-not-working-with-application-default-credentials-sinc/40493992#40493992


Without this fix, you will see:

HTTP 401 Unauthorized too many auth attempts


I hope this saves someone else some time

George (Cloud Platform Support)

unread,
Nov 9, 2016, 12:58:46 PM11/9/16
to Google App Engine
Hello Evan,
Running your gcloud command without the --sources part results in successfully getting the application default credentials on 2 different freshly-created instances. Does the error manifest itself in special circumstances? Are there any other details needed to correctly reproduce the error? 

Evan Jones

unread,
Nov 9, 2016, 4:42:30 PM11/9/16
to Google App Engine
Yes, you need to follow the directions to connect to an App Engine application via the remote shell:

1. Run `gcloud auth application-default login`
2. Follow the directions here:



Result: HTTP 401 Unauthorized errors


I'm guessing the App Engine remote shell needs to get the user's email address to be able to authenticate against the Users API (I think?). The OAuth2 token without that additional scope does not work.

Thanks,

Evan

Evan Jones

unread,
Nov 9, 2016, 4:43:17 PM11/9/16
to Google App Engine
Maybe I should add: I'm doing this from my machine, using my personal credentials, and not an instance service account. I'm not sure if that might make a difference or not.

George (Cloud Platform Support)

unread,
Nov 11, 2016, 3:55:15 PM11/11/16
to Google App Engine
Hello Evan, 
Followed the steps you indicated, first the "gcloud auth application-default login" command, then the “Using the Remote API shell” chapter from the linked page. Still, command “remote_api_shell.py -s [YOUR-PROJECT-ID].appspot.com” worked as expected. Maybe worth mentioning: the app was deployed with the “remote_api: on” option. 
Do you see any significant parameters that may still differ on our two setups?

Evan Jones

unread,
Nov 11, 2016, 4:40:33 PM11/11/16
to Google App Engine
I figured out why: gcloud version 134 fixed this. As of version 133 when I run gcloud auth application-default login the scopes are: "https://www.googleapis.com/auth/cloud-platform"


So this is resolved now; thanks!



Version 134's redirect URL:

https://accounts.google.com/o/oauth2/auth?access_type=offline&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform


--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/ptc-76K6Kk4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/b8b1fb8c-b38b-4626-a39a-94b30c37a5d7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages