Manish Bansal
Manish Bansal

Reputation: 2681

Insufficient authentication scopes error during cloud task creation

My java application is performing 2 tasks. Listening on pub-sub for new messages and creating cloud tasks. Further, it is using default compute service account which has all the roles asigned. Now, we are running the compute instance with the default service account having below scopes.

serviceAccounts:
- email: ***********[email protected]
  scopes:
  - https://www.googleapis.com/auth/devstorage.read_only
  - https://www.googleapis.com/auth/logging.write
  - https://www.googleapis.com/auth/monitoring.write
  - https://www.googleapis.com/auth/pubsub
  - https://www.googleapis.com/auth/service.management.readonly
  - https://www.googleapis.com/auth/servicecontrol
  - https://www.googleapis.com/auth/taskqueue
  - https://www.googleapis.com/auth/trace.append

However, during runtime, we are able to consume the messages. But, We are getting below exception during cloud task creation.

 com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request had insufficient authentication scopes.
        at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:55)
        at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:72)
        at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:60)
        at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.onFailure(GrpcExceptionCallable.java:97)
        at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:68)
        at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1041)
        at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
        at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:1215)
        at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:724)
        at com.google.common.util.concurrent.ForwardingListenableFuture.addListener(ForwardingListenableFuture.java:45)
        at com.google.api.core.ApiFutureToListenableFuture.addListener(ApiFutureToListenableFuture.java:52)
        at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1014)
        at com.google.api.core.ApiFutures.addCallback(ApiFutures.java:63)
        at com.google.api.gax.grpc.GrpcExceptionCallable.futureCall(GrpcExceptionCallable.java:67)
        at com.google.api.gax.rpc.UnaryCallable$1.futureCall(UnaryCallable.java:126)
        at com.google.api.gax.tracing.TracedUnaryCallable.futureCall(TracedUnaryCallable.java:75)
        at com.google.api.gax.rpc.UnaryCallable$1.futureCall(UnaryCallable.java:126)
        at com.google.api.gax.rpc.UnaryCallable.futureCall(UnaryCallable.java:87)
        at com.google.api.gax.rpc.UnaryCallable.call(UnaryCallable.java:112)
        at com.google.cloud.tasks.v2.CloudTasksClient.createTask(CloudTasksClient.java:1258)
        at com.google.cloud.tasks.v2.CloudTasksClient.createTask(CloudTasksClient.java:1241)
        at gcp.storage.services.ExternalURLGenService.lambda$createTask$0(ExternalURLGenService.java:94)

Further, to check whether the account has all the roles assigned, we enabled all the cloud apis on the instance and tried running the app again, and we were successful.

Can anyone please tell me, what additional scope i should assign to my instance?

As a homework, i have checked the documentation, only 2 scopes are mentioned to be provided. i.e.

https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/cloud-tasks

Now, i have already given cloud-tasks scope to my instance. However, scope cloud-platform is equivalent to enable all google api's which I do not want.

Upvotes: 1

Views: 1049

Answers (1)

guillaume blaquiere
guillaume blaquiere

Reputation: 76000

The scope is a legacy way to control the access. Today, and even if the scope is correct, the accesses are checks with IAM services.

Proof of this, if you use a custom service account with Compute Engine, you can't select scope, you can only select scope with the default service account of Compute Engine.

So, no worries, you can allow the full scope of Cloud Platform. But, you need to remove the Editor role of the compute engine default service account. And only grant the required permission.

If you use the Compute Engine default service account with other products, create a new service account and add it to your Compute Engine. At this moment, no longer scope, only IAM role to grant.

Upvotes: 2

Related Questions