1

I created a service account and generated a json key. I want to execute a get request to get a project. I using https://cloud.google.com/dns/docs/reference/v1/projects/get

public static Dns createDnsService() throws IOException, GeneralSecurityException {
   HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
   JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

   String jsonPath = "testdns-320312-136950c1074b.json";
   FileInputStream stream = new FileInputStream(jsonPath);
   GoogleCredential credential = GoogleCredential.fromStream(stream);
   if (credential.createScopedRequired()) {
     credential =credential.createScoped(Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
   }

   return new Dns.Builder(httpTransport, jsonFactory, credential)
        .setApplicationName("Google-DnsSample/0.1")
        .build();
}

When executing the code, I get error:

Exception in thread "main" com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
GET https://dns.googleapis.com/dns/v1/projects/testdns-320312
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Forbidden",
    "reason" : "forbidden"
  } ],
  "message" : "Forbidden"
}
Igor
  • 47
  • 5
  • The service account that your code is using does not have permissions. What roles are assigned to the service account? Review the documentation for the required roles to access DNS. https://cloud.google.com/dns/docs/access-control – John Hanley Jul 20 '21 at 19:07

1 Answers1

2

@John Hanley is right - you lack proper permissions.

If you didn't assign any role to a service account after you created it you can't use it to do anything.

You need a roles/dns.admin role to be able to administer all the DNS records in your project.

You can do this with the following steps:

  • In the Google Cloud Console, go to the IAM page.
  • Go to the IAM page
  • Select your project from the top pull-down menu.
  • Click Add.
  • In New members, enter the email address of a new member.
  • Select the desired role from the drop-down menu.
  • Click Save.
  • Verify that the member is listed with the role that you granted.

Granting DNS admin role to this account will be the easiest way of getting control over Cloud DNS section of your project. If you need more fine-grained / limited access then you can create your custom role and assign it to this account instead of the basic one.

Here's more info about granting roles in GCP that you may find useful.

Very similar question was also answered here.

Wojtek_B
  • 4,245
  • 1
  • 7
  • 21