Insufficient authentication scopes error using Google API

google-api google-compute-engine google-api-php-client google-api-client

22,724

Solution 1

Update

Now it is supported. You have to stop instance in order to change API scope. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

Original answer

It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances

Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access. https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

Solution 2

It is possible now. Your instance must be stopped and then it can have its scope list changed from the console in the edit vm page, or in the SDK by using :

gcloud compute instances stop [vmname] gcloud beta compute instances set-scopes [vmname] --scopes="[scopes list]"

Just be aware that with the SDK way, the second command will reset with the scopes in the list. It is not currently available the ability to only append a new scope.

22,724

Author by

seferov

github | twitter

Updated on October 15, 2020

Comments

seferov over 3 years

I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.

However, when the app is deployed to Google Cloud VM, it throws the following error:

[Google_Service_Exception]                                             
{                                                                      
    "error": {                                                           
      "code": 403,                                                       
      "message": "Request had insufficient authentication scopes.",      
      "errors": [                                                        
        {                                                                
          "message": "Request had insufficient authentication scopes.",  
          "domain": "global",                                            
          "reason": "forbidden"                                          
        }                                                                
      ],                                                                 
      "status": "PERMISSION_DENIED"                                      
    }                                                                    
}

According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.

To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?

To give client initialisation code:

$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);

gil.fernandes over 6 years

It seems that you as of December 2016 you can change the access scopes on stopped VMs. There is now a reply on this link: googlecloudplatform.uservoice.com/forums/302595-compute-engi‌ne/…