Google Cloud Endpoint 403 Exception

Question

I'm trying to deploy Google Cloud Functions behind Cloud Endpoints according to these steps:

https://cloud.google.com/endpoints/docs/openapi/get-started-cloud-functions

I followed the steps exactly like described and added API key authentication to the OpenAPI specification.

When I call the endpoint with the API key I get the following error: INTERNAL:Calling Google Service Control API failed with: 403 and body: \bMPermission 'servicemanagement.services.check' denied for the consumer project.

Is there some additional role I have to add to a service account ? I did not specify a service account when executing gcloud run deploy.

Thank you for your help

Answer 1

In addition to Lukas answer:

Cloud Endpoints checks the given API Key via Googles Service Management API "servicemanagement.googleapis.com". This means that the service account calling the service management api needs access to it. In most cases this is the projects standard compute account.

You would need to give it the permissions either via gcloud:

gcloud projects add-iam-policy-binding <project> --member serviceAccount:<project_id>-compute@developer.gserviceaccount.com --role roles/servicemanagement.serviceController

Or via the clooud console: Service Controller Permission IAM

Answer 2

Just found the solution. Before deploying the endpoint like described in the documentation I had to create a new service account with "Service Controller" role and then using it when deploying:

gcloud run deploy --service-account="..."