3

I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.

Auth 2.0: Working request using OAuth 2.0

API Key: Non-Working request using API Key

Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/

Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.

Edit: Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D

Here is the python request that I am using in my code to create an entry:

import requests

entry = {
        "entries": [
            {
                "logName": "projects/[PROJECT_ID]/logs/requests",
                "resource": {
                    "type": "http_load_balancer",
                    "labels": {}
                }
            }
        ]
    }

requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))

The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.

Any help would be much appreciated. Thank you in advance.

Jonathan Sou
  • 31
  • 2
  • Hi Jonathan Sou - Welcome to Stack Overflow! Is there code involved in this question, if so, please edit it in? – user230910 Feb 21 '19 at 00:06
  • @jonathan-sou I provided an answer below, but I'm curious: did you try clicking on the "(?)" button next to "Credentials"? It helps give some similar context. – John Feb 21 '19 at 01:23
  • I have added a code snippet of the request that I tried using in my code. @John - The "(?)" button leads to credentials FAQ that explains the differences between using an API key and OAuth 2.0 but does not really help me solve the problem. – Jonathan Sou Feb 21 '19 at 17:21

1 Answers1

3

It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.

OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.

Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.

John
  • 329
  • 2
  • 10