1

I build this very simple code, very similar to the tutorial here. I simply use the default credential, instead of using a service account key file (I can explain why if required, but in short, it's not secured!)

To test it, simply change the sheet ID in the code

import os
from flask import Flask, request

app = Flask(__name__)

@app.route('/', methods=['GET','POST'])
def test_sheet():

    from googleapiclient.discovery import build
    import google.auth

    SCOPES = ['https://www.googleapis.com/auth/spreadsheets.readonly']

    credentials, project_id = google.auth.default(scopes=SCOPES)
    # The ID and range of a sample spreadsheet.
    SAMPLE_SPREADSHEET_ID = '1oHzQLk79_TeEZtQyTLxk47PKDi7g1oy1O0MgSHzhUSk'
    SAMPLE_RANGE_NAME = 'A1:C1'

    service = build('sheets', 'v4', credentials=credentials)

    sheet = service.spreadsheets()
    result = sheet.values().get(spreadsheetId=SAMPLE_SPREADSHEET_ID,
                                range=SAMPLE_RANGE_NAME).execute()
    values = result.get('values', [])

    if not values:
        print('No data found.')
    else:
        print('Results:')
        for row in values:
            # Print columns A and E, which correspond to indices 0 and 4.
            print(row)
            return row[0] + ',' + row[1], 200

if __name__ == "__main__":
    app.run(host='0.0.0.0',port=int(os.environ.get('PORT',8080)))

Anyway, here my problem:

  • When I deploy it on Cloud Run, and I authorize the Cloud Run custom service account (without key, I use the application default credential) on my spreadsheet, it works
  • When, locally, I use a service account key file of the Cloud Run that I set in the GOOGLE_APPLICATION_CREDENTIALS, it works (bad practice as I said in introduction)
  • When, locally, I use my user credentials authorized on my sheet (gather with gcloud auth application-default login) it doesn't work with this error: 403.......Request had insufficient authentication scopes.
  • When I deploy on App Engine, and I authorize the AppEngine default service account (<PROJECT_ID>@appspot.gserviceaccount.com), it doesn't work with this error: 403.......Request had insufficient authentication scopes.

QUESTIONS

  • Why I can't change the scope of the user account credential? I could understand this case. I can't invoke private Cloud Function and private Cloud Run with my user credential. Why not another limitation!
  • Why I can't change the scope of the App Engine default service account? Here I don't catch the differences with the other service accounts on GCP
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Did you share the sheet with Cloud Run service account ? If yes, you might need to do same with App Engine service account – Vikram Shinde Aug 07 '20 at 20:56
  • yes I did it, and I didn't mention here, because the error is not "unauthorized access" but "insufficient scope". I update my question – guillaume blaquiere Aug 07 '20 at 21:07
  • Using credentials that were authorized with the gcloud tool can only access Google Cloud Scopes, which doesn't include Sheets. – lukwam Aug 08 '20 at 03:10
  • Did you find a solution? – Andrei Sep 04 '20 at 16:40
  • Hey @guillaumeblaquiere. I just read your nice [article](https://medium.com/google-cloud/cloud-run-performances-with-multiple-cpus-a4c2fccb5192) on Medium about Cloud Run multi-CPU performance, thanks for that! Hope you don't mind me asking a question via SO. It seems like you conclude that yes, more CPU's means more power (which makes sense). But my question is: when looking at Cloud Run and how it scales, isn't it more efficient to use more instances instead of more CPUs/instance? Like comparing 20 instances with 2 vCPUs v.s. 40 instances with 1 vCPU? What are your thoughts on that? – Casper van Lit Feb 18 '21 at 15:21
  • At cost perspective, it's better to have a lot of small instance. Like this, you won't pay for under used big instance. However, the tradeoff is: more small instance create = more cold start on your application. If your app start in few ms (such as Go app), no problem. If it's a Java spring boot app which start in 10+ seconds (I wrote another article on this), it could become an issue and limiting the number of new instance is an advantage. Next time, don't hesitate to reach me on Twitter or to comment on the article! – guillaume blaquiere Feb 18 '21 at 16:32

1 Answers1

1

Add scopes, additionallly like this:

gcloud compute instances set-service-account <instance name> --service-account <service account> --scopes <comma separated scopes here, alias or full URI>
Hariharan Natarajan
  • 11
  • 2