gcloud.exceptions.Forbidden: 403 Missing or insufficient permissions

Question

I am a new to Google Cloud Platform. I have setup a Google VM Instance. I am facing an authentication issue on Local Machine while running the command:

python manage.py makemigrations

Can you please suggest some tips/steps to resolve the same ?

Error Trace

  File "/constants.py", line 18, in <module>
    table_data = datastore_fetch(project_id, entity_kind)
  File "/datastore_helper.py", line 23, in datastore_fetch
    results = list(query.fetch())
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/query.py", line 463, in __iter__
    self.next_page()
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/query.py", line 434, in next_page
    transaction_id=transaction and transaction.id,
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 286, in run_query
    _datastore_pb2.RunQueryResponse)
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 124, in _rpc
    data=request_pb.SerializeToString())
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 98, in _request
    raise make_exception(headers, error_status.message, use_json=False)
gcloud.exceptions.Forbidden: 403 Missing or insufficient permissions.

Other Info:

gcloud auth list
Credentialed Accounts:
 - user_account@gmail.com ACTIVE
To set the active account, run:
    $ gcloud config set account `ACCOUNT`

gcloud config list
Your active configuration is: [default]

[core]
account = user_account@gmail.com
disable_usage_reporting = True
project = user_project

Input: (Standalone Python Function)

from gcloud import datastore
client = datastore.Client('user_project')

print(vars(client.connection.credentials))

Output:

{'scopes': set([]), 'revoke_uri': 'https://accounts.google.com/o/oauth2/revoke', 'access_token': None, 'token_uri': 'https://www.googleapis.com/oauth2/v4/token', 'token_info_uri': None, 'token_response': None, 'invalid': False, 'refresh_token': u'1/t-V_pZicXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'client_id': u'3XXXXXXXX9.apps.googleusercontent.com', 'id_token': None, 'client_secret': u'ZXXXXXXXXXXXXXXXXXXX2', 'token_expiry': None, 'store': None, 'user_agent': 'Python client library'}

VM Details

Firewalls
Allow HTTP traffic 
Allow HTTPS traffic

Availability policies
Preemptibility  Off (recommended)

Automatic restart   
On (recommended)

On host maintenance 
Migrate VM instance (recommended)

Custom metadata
None

SSH Keys
Block project-wide SSH keys
None

Service account
service-account@user_project.iam.gserviceaccount.com

Cloud API access scopes
This instance has full API access to all Google Cloud services.

Thanks,

Answer 1

With the datastore emulator in local development I had to set the apiEndpoint based on the Datastore and DatastoreClient docs. There may be a more elegant handling of this however this resolved the code 7 "Missing or insufficient permissions." errors in local development. (I'm using Firestore in Datastore mode.)

// nodejs myapp.js excerpt for config change running locally
    if(process.env.DATASTORE_EMULATOR_HOST){
        serviceaccount.apiEndpoint = process.env.DATASTORE_EMULATOR_HOST;
    }
    const datastore = new Datastore(serviceaccount);

$ gcloud beta emulators datastore start --data-dir=./emulator-data/
    ....
    [datastore] API endpoint: http://localhost:8081
    [datastore] If you are using a library that supports the DATASTORE_EMULATOR_HOST environment variable, run:
    [datastore]
    [datastore]   export DATASTORE_EMULATOR_HOST=localhost:8081
    [datastore]
    [datastore] Dev App Server is now running.

$ export DATASTORE_EMULATOR_HOST=localhost:8081 && MYHOST='http://localhost:8111' ndb node myapp.js

Answer 2

Just ran these two commands:

 1. gcloud beta auth application-default login
 2. export GOOGLE_APPLICATION_CREDENTIALS='/<path_to_json>/client_secrets.json'

from local machine and it started working.

Answer 3

The behavior for application default credentials has changed in gcloud since version 128.

One should use

gcloud auth application-default login

instead.

Note that changing credentials via gcloud auth login or gcloud init or gcloud config set account MY_ACCOUNT will NOT affect application default credentials, they managed separately from gcloud credentials.