403 permission denied on Google Cloud Datastore .NET client API
Question
Using the new Google Cloud Datastore v1beta client library, I am getting
{
"error": {
"errors": [
{
"domain": "global",
"reason": "PERMISSION_DENIED",
"message": "Unauthorized."
}
],
"code": 403,
"message": "Unauthorized."
}
}
for any request. I created an app engine app, added the Cloud Datastore API, configured a service account, and I'm using it to authenticate my requests.
[TestMethod]
public void BasicBlindWrite()
{
var service = new DatastoreService(new BaseClientService.Initializer() { Authenticator = CreateAuthenticator() });
var request = new GoogleData.BlindWriteRequest();
var entity = new GoogleData.Entity();
entity.Key = new GoogleData.Key();
entity.Key.Path = new List<KeyPathElement>();
entity.Key.Path.Add(new GoogleData.KeyPathElement { Kind = "Consumer", Name = "Consumer-1" });
var firstName = new GoogleData.Property();
firstName.Values = new List<GoogleData.Value>();
firstName.Values.Add(new GoogleData.Value { StringValue = "Samuel"});
entity.Properties = new GoogleData.Entity.PropertiesData();
entity.Properties.Add("FirstName", firstName);
request.Mutation = new GoogleData.Mutation();
request.Mutation.Upsert = new List<GoogleData.Entity>();
request.Mutation.Upsert.Add(entity);
var response = service.Datasets.BlindWrite(request, "my-appengine-project-id").Fetch();
}
private OAuth2Authenticator<AssertionFlowClient> CreateAuthenticator()
{
var certificate = new X509Certificate2(TestClientCredentials.ClientCertificateFilePath, "notasecret",
X509KeyStorageFlags.Exportable);
var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate)
{
ServiceAccountId = TestClientCredentials.CertificateEmailAddress,
Scope = "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore"
};
var authenticator = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState);
return authenticator;
}
If I use the web API console, it works.
** UPDATE **
Here's how I created the service account:
- Created AppEngine application.
- Navigated to Google APIs console.
- Enabled Google Cloud Datastore API for AppEngine application.
- Clicked "Create an OAuth 2.0 client ID..."
- Gave it a dummy name.
- Selected "Service Account" as Application Type.
- Clicked "Create client ID".
- Clicked "Download private key" (location represented as TestClientCredentials.ClientCertificateFilePath in code below).
1 answers
solution1
0 ACCPTED 2013-06-20 17:10:27
Same answer as this question .
In order for service account to be properly configured with your Cloud Datastore instance you have to create them using the Cloud Console as described in the documentation .
Alternatively if you really want to use the service account you created using the [Google APIs console][3], you can do the following:
- Go to cloud.google.com/console
- Click on your project id
- Click on ⚙
- Click on Teams
- Click Add member
- Add your service account as a Viewer
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.