从K8S集群调用时，Google API的“身份验证范围不足”

Question

I'm trying to report Node.js errors to Google Error Reporting, from one of our kubernetes deployments running on a GCP/GKE cluster with RBAC. (ie permissions defined in a service account associated to the cluster)

const googleCloud = require('@google-cloud/error-reporting');
const googleCloudErrorReporting = new googleCloud.ErrorReporting();
googleCloudErrorReporting.report('[test] dummy error message');

This works only in certain environments:

• it works when run on my laptop, using a service account that has the "Errors Writer" role
• it works when running in my cluster as a K8S job, after having added the "Errors Writer" role to that cluster's service account
• it causes the following error when called from my Node.js application running in one of my K8S deployments:

ERROR:@google-cloud/error-reporting: Encountered an error while attempting to transmit an error to the Stackdriver Error Reporting API.

Error: Request had insufficient authentication scopes.

It feels like the job did pick up the permission changes of the cluster's service account, whereas my deployment did not.

I did try to re-create the deployment to make it refresh its auth token, but the error is still happening...

Any ideas?

UPDATE : I ended up following Jérémie Girault's suggestion : create a service account and bind it to my deployment. It works!

Answer 1

The error message has to do with the access scopes set on the cluster when using the default service account. You must enable access to the appropriate API.

As you mentioned, creating a separate service account, providing it the appropriate IAM permissions and linking it to your cluster or workload will bypass this error as well.