GCloud App Engine（灵活）默认服务帐户 Scope

Question

I'm trying to connect to a google calendar from service running in GCP App Engine flexible environment using default service account. I have set correct scope required to access the calendar to read only events ( https://www.googleapis.com/auth/calendar.events.readonly ) and I'm able to access the calendar locally when impersonating the service account.

My service runs on java spring boot and getting below error

{
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED",
  "details": [
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
    "domain": "googleapis.com",
    "metadata": {
      "service": "calendar-json.googleapis.com",
      "method": "calendar.v3.Events.List"
    }
  }
}

Code Snippet

val scopes = listOf("https://www.googleapis.com/auth/calendar.events.readonly")
val credentialsProvider = GoogleCredentialsProvider.newBuilder().setScopesToApply(scopes).build()

val calendarService = Calendar.Builder(GoogleNetHttpTransport.newTrustedTransport(),
                                GsonFactory.getDefaultInstance(),
                                HttpCredentialsAdapter(credentialsProvider.credentials))
            .setApplicationName(applicationName)
            .build()

calendarService.events().list(config.calendarId)
            .setSingleEvents(true)
            .setTimeMin(DateTime(Date()))
            .setMaxResults(4)
            .execute()

Dependencies

• com.google.cloud:spring-cloud-gcp-dependencies:3.1.0
• org.springframework.cloud:spring-cloud-dependencies:2021.0.1
• com.google.cloud:spring-cloud-gcp-starter
• com.google.auth:google-auth-library-appengine
• com.google.appengine:appengine-api-1.0-sdk
• com.google.apis:google-api-services-calendar:v3-rev411-1.25.0

What I've Tried

I have accessed the metadata endpoint on app instance directly to check provided token. Only to find out the given token has no specified calendar scope.

$ curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events.readonly" -H 'Metadata-Flavor: Google'
{"access_token":"ya29.xxxxxx....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3518,"token_type":"Bearer"}

$ curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$token" https://www.googleapis.com/oauth2/v1/tokeninfo
{
  "issued_to": "xxxxxxx",
  "audience": "xxxxxxx",
  "scope": "https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis",
  "expires_in": 3493,
  "email": "<project-id>@appspot.gserviceaccount.com",
  "verified_email": true,
  "access_type": "online"
}

Answer 1

Google Compute Engine instance can have the permissions of the service account limited by access scopes .

The scopes that you list are the default access scopes link . This means the scopes you add are filtered out by the VM instance settings.

In the Google Cloud Console GUI, change the Access scopes for the VM instance to be Allow full access to all Cloud APIs . You can also use the CLI link .