0

I have written an application that uses all the clients/sdks as officially documented.

credentials = GoogleCredentials \
    .get_application_default() \
    .create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
    'drive',
    'v3',
    http=self.credentials.authorize(Http())
)
drive.files() \
    .get(fileId=file_id) \
    .execute()

It works perfect in local with a Service Account generated from the panel, but when I deploy the application, the service account within AppEngine flexible environment runs into problems.

17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account. 17:15:04.000 Using this argument will have no effect on the actual scopes for tokens 17:15:04.000 requested. These scopes are set at VM instance creation time and 17:15:04.000 can't be overridden in the request. 17:15:04.000 17:15:04.000 warnings.warn(_SCOPES_WARNING) 17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest 17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token 17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json 17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id@appspot.gserviceaccount.com 17:15:04.000 Traceback (most recent call last): 17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get 17:15:04.000 .execute() 17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper 17:15:04.000 return wrapped(*args, **kwargs) 17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute 17:15:04.000 raise HttpError(resp, content, uri=self.uri) 17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission">

I have checked the permissions and they are all set. The problem is probably due to the "Using this argument will have no effect..." message, that appears when trying to create the scoped credentials.

Nicholas
  • 1,676
  • 12
  • 35
txomon
  • 642
  • 1
  • 6
  • 21
  • What articles/guides are you following to achieve this? Can you provide links? – Nicholas Jun 08 '16 at 15:34
  • Using the code you've provided above, I cannot reproduce this issue. Is your Drive API enabled in the Developers Console under APIs? The error message states scopes to be used with a GCE instance (not GAE application). Where is this code being run? – Nicholas Jun 08 '16 at 20:06
  • @Nicholas this is the upstream bug https://code.google.com/p/googleappengine/issues/detail?id=12970 – txomon Jun 13 '16 at 16:02
  • Ah, yes. This is indeed a known issue. Apologies for not recognizing it from the logs posted. My reproduction was using the standard environment and not the flexible one. For the sake of completeness, I'll post this as a more complete answer for the community. – Nicholas Jun 13 '16 at 17:07
  • Though this is a known issue, the answer submitted is the appropriate answer for the question. – Nicholas Jun 17 '16 at 18:43

1 Answers1

1

As you've mentioned in a prior comment, this is a known issue. As described by araf...@google.com, it seems that App Engine instances in the flexible environment assume the credentials of the uderlying GCE VM as the application default credentials.

As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications.

For anyone affected by this issue or for whom the workaround is ineffective, please post any relevant information on said issue.

Nicholas
  • 1,676
  • 12
  • 35