Compute Engine accessing DataStore get Invalid Credentials (code: 401)

Question

I am following the tutorial on https://cloud.google.com/datastore/docs/getstarted/start_nodejs/ trying to use datastore from my Compute Engine project.

Step 2 in the tutorial mentioned I do not have to create new service account credentials when running from Compute Engine.

I run the sample with:

node test.js abc-test-123

where abc-test-123 is my Project Id and that project have enabled all cloud API access including DataStore API.

After uploaded the code and executed the sample, I got the following error:

Adams: { 'rpc error': { [Error: Invalid Credentials] code: 401, errors: [ [Object] ] } }

Update:

I did a workaround by changing the default sample code to use the JWT credential way (with a generated .json key file) and things are working now.

Update 2:

This is the scope config when I run

gcloud compute instances describe abc-test-123

And the result:

serviceAccounts:
   scopes:
  - https://www.googleapis.com/auth/cloud-platform

According to the doc:

You can set scopes only when you create a new instance, and cannot change or expand the list of scopes for existing instances. For simplicity, you can choose to enable full access to all Google Cloud Platform APIs with the https://www.googleapis.com/auth/cloud-platform scope.

I still welcome any answer about why the original code not work in my case~ Thanks for reading

Answer 1

There are 2 way to create an instance with right credential:

1. gcloud compute instances create $INSTANCE_NAME --scopes datastore,userinfo-email
2. Using web: on Access & Setting Enable User Info & Datastore

Answer 2

This most likely means that when you created the instance, you didn't specify the right scopes (datastore and userinfo-email according to the tutorial). You can check that by executing the following command:

gcloud compute instances describe <instance>

Look for serviceAccounts/scopes in the output.