stackoom
  简体   繁体   中英

GCloud App Engine (flexible) Default Service Account Scope

 原文  2022-03-24 06:07:39       google-cloud-platform/ google-calendar-api/ app-engine-flexible

Question

I'm trying to connect to a google calendar from service running in GCP App Engine flexible environment using default service account. I have set correct scope required to access the calendar to read only events ( https://www.googleapis.com/auth/calendar.events.readonly ) and I'm able to access the calendar locally when impersonating the service account.

My service runs on java spring boot and getting below error

{
  "message": "Request had insufficient authentication scopes.",
  "status": "PERMISSION_DENIED",
  "details": [
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
    "domain": "googleapis.com",
    "metadata": {
      "service": "calendar-json.googleapis.com",
      "method": "calendar.v3.Events.List"
    }
  }
}

Code Snippet

val scopes = listOf("https://www.googleapis.com/auth/calendar.events.readonly")
val credentialsProvider = GoogleCredentialsProvider.newBuilder().setScopesToApply(scopes).build()

val calendarService = Calendar.Builder(GoogleNetHttpTransport.newTrustedTransport(),
                                GsonFactory.getDefaultInstance(),
                                HttpCredentialsAdapter(credentialsProvider.credentials))
            .setApplicationName(applicationName)
            .build()

calendarService.events().list(config.calendarId)
            .setSingleEvents(true)
            .setTimeMin(DateTime(Date()))
            .setMaxResults(4)
            .execute()

Dependencies

  • com.google.cloud:spring-cloud-gcp-dependencies:3.1.0
  • org.springframework.cloud:spring-cloud-dependencies:2021.0.1
  • com.google.cloud:spring-cloud-gcp-starter
  • com.google.auth:google-auth-library-appengine
  • com.google.appengine:appengine-api-1.0-sdk
  • com.google.apis:google-api-services-calendar:v3-rev411-1.25.0

What I've Tried

I have accessed the metadata endpoint on app instance directly to check provided token. Only to find out the given token has no specified calendar scope.

$ curl -s "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events.readonly" -H 'Metadata-Flavor: Google'
{"access_token":"ya29.xxxxxx....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................","expires_in":3518,"token_type":"Bearer"}

$ curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$token" https://www.googleapis.com/oauth2/v1/tokeninfo
{
  "issued_to": "xxxxxxx",
  "audience": "xxxxxxx",
  "scope": "https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis",
  "expires_in": 3493,
  "email": "<project-id>@appspot.gserviceaccount.com",
  "verified_email": true,
  "access_type": "online"
}

1 answers

solution1
 0  2022-03-24 06:18:01

Google Compute Engine instance can have the permissions of the service account limited by access scopes .

The scopes that you list are the default access scopes link . This means the scopes you add are filtered out by the VM instance settings.

In the Google Cloud Console GUI, change the Access scopes for the VM instance to be Allow full access to all Cloud APIs . You can also use the CLI link .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Deleted Compute Engine default service account Login to firebase using gcloud service account Downgrade App engine flexible to app engine standard environment Firebase Gcloud : Service account, Private key generation error What are the limitations on gcloud auth activate-service-account gcloud CLI authentication using service account on GitHub Codespaces gcloud auth activate-service-account logout / revoke / remove / unset Error while activating the gcloud service account from command line How to add a custom role to service account using gcloud Gcloud - cannot provision many VM using one Service Account
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM