0

I want to ensure that my Cloud Run service is using the correct service account to authorize requests, in accordance with the guidance provided here: https://cloud.google.com/run/docs/securing/service-identity#permissions-required-to-operate. However, when I invoke the service using a curl command from Cloud Shell, the logs show that the default service account is used with the message:

Default credentials provider for Google Compute Engine.

even though the service account I want is already attached to the service.

Any idea why this happens?

More context: My service account has been allowlisted and should have the scope to access the Automotive Maps API, in the application code I'm using the application default credentials to authorize the request. it works when I run the app locally when I set the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to a service account key I downloaded. But it does't work when deployed to CloudRun and invoked running the following command:

curl -H \
"Authorization: Bearer $(gcloud auth print-identity-token)" \
https://cloudrunsampleretry-qwuy73xdsq-uc.a.run.app

I'm getting

io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request had insufficient authentication scopes.

The instruction explicitly saying

Never set GOOGLE_APPLICATION_CREDENTIALS as an environment variable on a Cloud Run service

so application default credentials(ADC) must work in a different way comparing to the app running locally. Just don't know what could went wrong on the setups of the Cloud Run service.

Xueming Zhang
  • 1
  • 1
  • That message is does not indicate the service account that Cloud Run has been assigned. To verify which service account your Cloud Run service is using, run this command `gcloud run services describe SERVICE_NAME`. See this [document](https://cloud.google.com/sdk/gcloud/reference/run/services/describe) – John Hanley Jun 15 '23 at 21:33
  • Thanks, that command does show that the correct service account is being used, while I'm still getting insufficient scope error when make the call with a Cloud client library. – Xueming Zhang Jun 15 '23 at 22:08
  • The details about scopes and how you are generating requests are not in your post. – John Hanley Jun 15 '23 at 22:18
  • Updated with more context, thank you. – Xueming Zhang Jun 15 '23 at 22:38
  • Google Cloud Shell is using your credentials (the one you log in with). Which IAM roles does your account have? The minimum role is `roles/run.invoker`. https://cloud.google.com/run/docs/reference/iam/roles – John Hanley Jun 16 '23 at 02:30
  • Thanks for following up on this, I'm using my personal user to log in and my personal user has the run.admin role. I'm able to run the service but getting insufficient scope error from google cloud service when my Cloud Run service send gRPC request to it. So I believe it's because the correct service account is not being picked up by the application default credentials when my Cloud Run service making the call, even though the service account is already associated with my Cloud Run service. – Xueming Zhang Jun 17 '23 at 19:20
  • Edit your post and include the IAM roles for the service account. Show the command that you used to determine those roles. Most of the details in your question do not apply, I would rewrite it to focus on the correct item (service account principal's IAM roles). – John Hanley Jun 17 '23 at 19:26
  • Thanks. I did some experiments and the log message starting with "Default credentials provider" does indicate which service account is used by ADC, when I run the service locally on minikube with the gcloud auth add-on enabled, I'm seeing "Default credentials provider for service account aca-prober-svc-acct@project-doc-ref-client.iam.gserviceaccount.com", which is the svc I want and everything works fine, but when I deploy the service with the same config to Cloud Run and invoke there, it gave the log message in the post which indicate the wrong service account is used and the call fails. – Xueming Zhang Jun 21 '23 at 00:21

1 Answers1

0

The issue is fixed credentials provider does not set the default cloud API scope into credentials when used with ADC, I need to add the auth scope explicitly into the credential before using it in the gRPC call. It looks like this in code:

.setCredentialsProvider(FixedCredentialsProvider.create(
    googleCredentials.createScoped("some scope"))
)
Xueming Zhang
  • 1
  • 1