403 "Request had insufficient authentication scopes" during gcloud container cluster get-credentials

Question

From a VM in GCE, I did the following

gcloud auth activate-service-account --key-file <blah>
# "blah" is a service account key file (JSON) I generated from the web interface
gcloud config set project <project-name>
gcloud config set compute/zone <zone-name>
gcloud set container/cluster <cluster-name>

Then when I tried to run

gcloud container clusters get-credentials <cluster-name>

and it failed with the error message:

Error message: "ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Request had insufficient authentication scopes."

The VM is on the same network as the GKE cluster. I tried the same thing, with the same service account key file from a machine outside GCE, against a GKE cluster on the "default" network and it succeeded...

Robert Bailey · Accepted Answer · 2018-03-06T17:43:56.813

54

To use the Google Kubernetes Engine API from a GCE virtual machine you need to add the cloud platform scope ("https://www.googleapis.com/auth/cloud-platform") to your VM when it is created.

edited Mar 06 '18 at 17:43

answered Mar 11 '16 at 05:30

Robert Bailey

17,866
3
50
58

how to do that ? – artyomboyko Sep 21 '17 at 12:14
7

If you are using the command line you'd do something like `gcloud compute instances create NAME --scopes=https://www.googleapis.com/auth/cloud-platform`. If you are using the cloud console, when creating a VM look for the "Identity and API access" section, and select "Allow full access to all Cloud APIs". – Robert Bailey Sep 22 '17 at 05:15
@RobertBailey Thanx for the instructions, really helpful. But, why do we need to provide full access to all cloud APIs? Any idea which API listed in cloud console enables the CloudKMS operations? – Ankit Agrawal Mar 06 '18 at 10:03
Accessing the Google Kubernetes Engine API is separate that enabling CloudKMS. The Google Kubernetes Engine API does not have a separate scope from other cloud APIs such that it can be accessed independently. To have finer grained control, you can use Identity and Access Management (IAM) primitives which allow you to only grant access to the GKE API. You can attach IAM roles to a service account and add it to the VM if you don't want to use scopes. – Robert Bailey Mar 06 '18 at 17:43
2

Is it possible to add the cloud platform scope after the cluster creation ? – alphayax Jul 04 '18 at 07:29
1

You can't add it to existing VMs, but you can create a new node pool that has the scope (so it will be applied to those new VMs), then migrate your workloads to the new node pool, and delete the old node pool. – Robert Bailey Jul 05 '18 at 07:55
2

You can now change scope permissions after creation. just shut down your machine, click edit and go to the scope section. – Seraf Dec 17 '18 at 12:57
@Seraf - for GKE you need to add the scope to the instance template for the managed instance group. You can do it to individual machines, but I still don't think you can do it for groups of machines without creating a new node pool. – Robert Bailey Dec 17 '18 at 16:19
@RobertBailey Yes but isn’t he trying to access the node pool from an individual machine? I had the same issue last week (trying to access my kubernetes cluster from a machine) – Seraf Dec 17 '18 at 16:22
1

Good point -- with an individual machine you can now stop the VM, change scopes, and restart the VM. But if your virtual machine is part of a managed instance group (managed by GKE or otherwise), then I don't think that you can do that trick to change scopes, and you need to create a new managed instance group with the correct scopes from the start. – Robert Bailey Dec 18 '18 at 16:48
1

@RobinVarghese - the link isn't supposed to work. It isn't a link to a website; it's a URI that represents an authorization scope that is understood by Google Cloud Platform. – Robert Bailey Jun 14 '19 at 16:42

score 4 · Answer 2 · answered Dec 15 '18 at 14:47

4

If you are using The Google Kubernetes Engine API from a VM in GCP. You first need to add required scope at vm level https://www.googleapis.com/auth/projecthosting,cloud-platform. This can be done by GCP console as well. Stop the VM instance then go to edit option and at the end you will find Cloud API access scopes.

answered Dec 15 '18 at 14:47

Abhishek Srivastava

41
1

1

I turned on "Allow full access to all Cloud APIs" which fixed it – ekkis Jun 20 '21 at 06:14

score 4 · Answer 3 · answered Nov 16 '20 at 16:49

There is now a solution (in beta and alpha only) to set scope on an existing GCE VM. All it needs to be successful is to stop the VM before executing the command.

First, you should be aware (and copy) current scopes of your VM so you can set them along with your new scopes, use:

gcloud compute instances describe your-instance

At the bottom you should see a list of scopes, copy them.

Then, read documentation for this command in beta (available to everyone but to be used at your own risk): https://cloud.google.com/sdk/gcloud/reference/beta/compute/instances/set-scopes

Before you execute this command, stop the instance from the GCE page and wait for it to be shut down. A scary warning will appear, be aware that if the VM does not shut down gracefully in 90 seconds (= all processes and services successfully turned off) the file system might get corrupt when force shutting down the VM. Take good note and backup important files if you feel unsafe about this.

For me, with the existing scopes plus the new one (cloud-platform) the resulting set-scopes command was:

gcloud beta compute instances set-scopes my-instance --zone=us-central1-a --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append,https://www.googleapis.com/auth/cloud-platform

Robin Varghese · Answer 4 · 2019-06-13T18:52:53.297

Step 1 : gcloud init

Step 2 : Select [2] Create a new configuration

Step 3 : Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account

Step 4 : Choose the account you would like to use to perform operations for this configuration:[2] Log in with a new account

Step 5 : Do you want to continue (Y/n)? y

Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account

Step 7 : Copy the verification code provided by google after login and paste it in to the console.

Step 8 : Pick cloud project to use:

Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y

Step 10 : Please enter numeric choice or text value (must exactly match list item): 8

Your Google Cloud SDK is configured and ready to use!

Once this is done, make sure the service account configured for the VM has permissions to do the required tasks.

403 "Request had insufficient authentication scopes" during gcloud container cluster get-credentials

4 Answers4

Linked