0

I'm unable to get my Google Compute instance to speak to the Datastore (within the same project).

I believe I've set everything up correctly:

  • Google Compute instance has the full API scope
  • All the relevant APIs have been enabled in the project
  • Billing is enabled in the project

The tutorials claim that I won't even need to have a service account to use the API, but since it didn't work I also tried setting up a service account and put the key file on my instance. Still no luck.

Here's the code I'm trying to run (I created a Test entity in the Datastore of the project, and I can successfully look it up using Google's API explorer with an OAuth2 token for my account):

const gcloud = require('gcloud')({
  projectId: 'roger-web-client',
  keyFilename: './roger-web-client-8d1fbd8baae2.json',
});

const dataset = gcloud.datastore.dataset();

dataset.get(dataset.key(['Test', 5629499534213120]), (error, entity) => {
  console.log(error || entity);
});

This results in the error 403 Forbidden. If I comment out keyFilename, I get 401 Unauthorized instead, which seems to imply the magic authorization on Google Compute instances isn't working for me.

Ideas?

Vilas
  • 1,405
  • 12
  • 15
Blixt
  • 49,547
  • 13
  • 120
  • 153
  • 1
    Which scopes have to added to the instance? Have you added the ones mentioned here: https://cloud.google.com/datastore/docs/activate#accessing_the_datastore_api_from_a_compute_engine_instance? – Vilas Jan 14 '16 at 17:15
  • Just to echo Vilas's comment: checking the "Allow API access to all..." box in the UI doesn't add all the scopes needed by Datastore. What scopes do you see if you run "gcloud compute instances describe" on the instance? – Ed Davisson Jan 14 '16 at 19:08
  • The documentation implies that it's "all APIs" and doesn't let me choose individual scopes when using this one, which makes it strange that there are additional scopes required... This is the scope the instance has: `https://www.googleapis.com/auth/cloud-platform` – Blixt Jan 14 '16 at 19:39
  • 1
    Agree that it's unfortunate, but the Cloud Datastore API requires the https://www.googleapis.com/auth/userinfo.email scope in addition to either the https://www.googleapis.com/auth/datastore or https://www.googleapis.com/auth/cloud-platform scope. – Ed Davisson Jan 14 '16 at 22:04
  • Okay I was unaware of that. I would propose adding a "Note:" section in the tutorial since everything else implies it's possible to just use the "everything" scope. Tack! – Blixt Jan 15 '16 at 01:31
  • Sorry about the inconvenience. Could you please provide a link to the tutorial you were using? It should be fixed. – Vilas Jan 15 '16 at 16:13
  • @Vilas: Here's a few tutorials I looked at (they mention the scopes but I propose a notice saying that the `cloud-platform` scope is not a valid alternative): https://cloud.google.com/datastore/docs/activate#accessing_the_datastore_api_from_a_compute_engine_instance -- https://googlecloudplatform.github.io/gcloud-node/ -- https://cloud.google.com/datastore/docs/getstarted/start_nodejs/ – Blixt Jan 15 '16 at 16:18
  • On a sidenote it was also confusing to start using `googleapis` only to later find out that `gcloud` is a newer and more succinct alternative. Maybe it should be mentioned in the "Get started" tutorial? – Blixt Jan 15 '16 at 16:20
  • Blixt@: Thank you for the feedback. We will work on improving these docs. – Vilas Jan 15 '16 at 21:27

0 Answers0