13

I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.

However, when the app is deployed to Google Cloud VM, it throws the following error:

[Google_Service_Exception]                                             
{                                                                      
    "error": {                                                           
      "code": 403,                                                       
      "message": "Request had insufficient authentication scopes.",      
      "errors": [                                                        
        {                                                                
          "message": "Request had insufficient authentication scopes.",  
          "domain": "global",                                            
          "reason": "forbidden"                                          
        }                                                                
      ],                                                                 
      "status": "PERMISSION_DENIED"                                      
    }                                                                    
}

According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.

To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?

To give client initialisation code:

$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);
seferov
  • 4,111
  • 3
  • 37
  • 75

2 Answers2

12

Update

Now it is supported. You have to stop instance in order to change API scope. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

Original answer

It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances

Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access. https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

seferov
  • 4,111
  • 3
  • 37
  • 75
  • 1
    It seems that you as of December 2016 you can change the access scopes on stopped VMs. There is now a reply on this link: https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc – gil.fernandes Jan 08 '18 at 11:26
2

It is possible now. Your instance must be stopped and then it can have its scope list changed from the console in the edit vm page, or in the SDK by using :

gcloud compute instances stop [vmname] gcloud beta compute instances set-scopes [vmname] --scopes="[scopes list]"

Just be aware that with the SDK way, the second command will reset with the scopes in the list. It is not currently available the ability to only append a new scope.

MarcoSantana
  • 739
  • 10
  • 10