Insufficient authentication scopes error using Google API
Solution 1
Update
Now it is supported. You have to stop instance in order to change API scope. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes
Original answer
It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances
Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access. https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc
Solution 2
It is possible now. Your instance must be stopped and then it can have its scope list changed from the console in the edit vm page, or in the SDK by using :
gcloud compute instances stop [vmname]
gcloud beta compute instances set-scopes [vmname] --scopes="[scopes list]"
Just be aware that with the SDK way, the second command will reset with the scopes in the list. It is not currently available the ability to only append a new scope.
Comments
-
seferov over 3 years
I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as
GOOGLE_APPLICATION_CREDENTIALS
as environment variable. This is worked as expected without a problem.However, when the app is deployed to Google Cloud VM, it throws the following error:
[Google_Service_Exception] { "error": { "code": 403, "message": "Request had insufficient authentication scopes.", "errors": [ { "message": "Request had insufficient authentication scopes.", "domain": "global", "reason": "forbidden" } ], "status": "PERMISSION_DENIED" } }
According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.
To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?
To give client initialisation code:
$client = new Google_Client(); $client->useApplicationDefaultCredentials(); $client->addScope(Google_Service_Pubsub::PUBSUB);
-
gil.fernandes over 6 yearsIt seems that you as of December 2016 you can change the access scopes on stopped VMs. There is now a reply on this link: googlecloudplatform.uservoice.com/forums/302595-compute-engine/…