Auth for connecting to BigTable from a compute instance

[Hrishikesh Barua]

have an app connecting to Google Bigtable using the com.google.cloud.bigtable.hbase1_2.BigtableConnection class. This is running inside a compute engine VM which has the default scopes set plus the https://www.googleapis.com/auth/bigtable.data scope (required for reading/writing to Bigtable). The connection works fine when the property google.bigtable.auth.json.keyfile is set to the appropriate auth file.

However, I want to avoid setting this property and just use the scopes set for the instance, so that the key file does not have to be kept on the instance. This does not seem to work. The error message is

Caused by: com.google.bigtable.repackaged.io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request had insufficient authentication scopes.
    at com.google.bigtable.repackaged.io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:230)
    at com.google.bigtable.repackaged.io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:211)
    at com.google.bigtable.repackaged.io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:144)
    at com.google.bigtable.admin.v2.BigtableTableAdminGrpc$BigtableTableAdminBlockingStub.listTables(BigtableTableAdminGrpc.java:371)
    at com.google.cloud.bigtable.grpc.BigtableTableAdminGrpcClient.listTables(BigtableTableAdminGrpcClient.java:52)
    at org.apache.hadoop.hbase.client.AbstractBigtableAdmin.requestTableList(AbstractBigtableAdmin.java:258)
    ... 8 more

Is there any other way of doing this or is there a configuration property I'm missing?

[talonx]

So, I figured out that it requires both the access scope as well as the correct IAM role to be assigned to the instance, and then it works.

[Solomon Duskis]

We're glad you were able to figure this out.  Sorry for not responding sooner to your question.

Solomon Duskis |

Google Cloud Bigtable Tech Lead |

sdu...@google.com |

914-462-0531

--
You received this message because you are subscribed to the Google Groups "Google Cloud Bigtable Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-bigtable-discuss+unsub...@googlegroups.com.
To post to this group, send email to google-cloud-bigtable-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-bigtable-discuss/ad0717b0-c6f4-475e-a01d-3696ecb70ae7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[neeraj...@gcp.nordstrom.com]

Hi, Could you please let us know solution. I am also facing same issue

[talonx]

Did you read my response to my own question above? Are you facing some other error after trying that?

[Solomon Duskis]

Here's some information about how to configure scopes on a GCE instance.

Here's some information about how to grant IAM permissions for Cloud Bigtable.

I hope this helps.

Solomon Duskis |

Google Cloud Bigtable Tech Lead |

sdu...@google.com |

914-462-0531

--

You received this message because you are subscribed to the Google Groups "Google Cloud Bigtable Discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-bigtabl...@googlegroups.com.
To post to this group, send email to google-cloud-b...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-bigtable-discuss/6fa2cd43-cb7a-4849-b7b1-36ad808f74ec%40googlegroups.com.

[neeraj...@gcp.nordstrom.com]

Thanks it works after applying scope

To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-bigtable-discuss+unsub...@googlegroups.com.