-1

I am trying to issue certificates including a wildcard using Certbot. The instructions for google-dns are clear, but I am stuck on the permissions and getting the following permission issue.

Encountered 403 Forbidden with reason "insufficientPermissions"
Encountered 403 Forbidden with reason "insufficientPermissions"
Error finding zone. Skipping cleanup.
Encountered error finding managed zone: <HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/example/managedZones?dnsName=example.com.&alt=json returned "Request had insufficient authentication scopes.". Details: "[{'message': 'Insufficient Permission', 'domain': 'global', 'reason': 'insufficientPermissions'}]">

I've added DNS Admin role to my DNS Zone Permissions and DNS Reader role to my Project IAM Permissions under the principle of my main email for the account. What is going on?

Maciek Semik
  • 1,872
  • 23
  • 43

1 Answers1

1

Most likely you are not using the credentials that you think you are.

By default, the plugin will use ADC (Application Default Credentials) that are set up by the CLI gcloud. You might not have set up those credentials with the correct account.

Run the command gcloud auth application-default login and try again.

Your other option is to use the plugin command flag --dns-google-credentials to specify the service account JSON key file.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • I feel like I missed a whole step here. So do I first install Google Cloud CLI onto my Compute Engine Instance? And then do the following steps outlined in Certbot Google documentation? I was under the impression that when I log in thought SSH, that creates credentials. – Maciek Semik Jul 28 '23 at 01:22
  • 1
    @MaciekSemik - Compute Engine has its own default credentials. You mentioned you added the IAM role to your email account. Compute Engine does not use your account. Your options are 1) to add the IAM role to the service account assigned to your Compute Engine instance (recommended) or 2) to run `gcloud auth application-default login` while logged into Compute Engine via SSH. You mention SSH, those `keys` are a different type of credential. – John Hanley Jul 28 '23 at 01:46
  • 1
    @MaciekSemik - If you chose to add an IAM role to the Compute Engine service account, you must set the VM Access Scopes to `All APIs`. If all of this confuses you, run the `gcloud` command and then study Google Cloud Authorization. – John Hanley Jul 28 '23 at 01:48