Reputation: 2680
Insufficient authentication scopes error during cloud task creation
My java application is performing 2 tasks. Listening on pub-sub for new messages and creating cloud tasks. Further, it is using default compute service account which has all the roles asigned. Now, we are running the compute instance with the default service account having below scopes.
serviceAccounts:
- email: ***********-compute@developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/pubsub
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/taskqueue
- https://www.googleapis.com/auth/trace.append
However, during runtime, we are able to consume the messages. But, We are getting below exception during cloud task creation.
com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request had insufficient authentication scopes.
at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:55)
at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:72)
at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:60)
at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.onFailure(GrpcExceptionCallable.java:97)
at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:68)
at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1041)
at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:1215)
at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:724)
at com.google.common.util.concurrent.ForwardingListenableFuture.addListener(ForwardingListenableFuture.java:45)
at com.google.api.core.ApiFutureToListenableFuture.addListener(ApiFutureToListenableFuture.java:52)
at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1014)
at com.google.api.core.ApiFutures.addCallback(ApiFutures.java:63)
at com.google.api.gax.grpc.GrpcExceptionCallable.futureCall(GrpcExceptionCallable.java:67)
at com.google.api.gax.rpc.UnaryCallable$1.futureCall(UnaryCallable.java:126)
at com.google.api.gax.tracing.TracedUnaryCallable.futureCall(TracedUnaryCallable.java:75)
at com.google.api.gax.rpc.UnaryCallable$1.futureCall(UnaryCallable.java:126)
at com.google.api.gax.rpc.UnaryCallable.futureCall(UnaryCallable.java:87)
at com.google.api.gax.rpc.UnaryCallable.call(UnaryCallable.java:112)
at com.google.cloud.tasks.v2.CloudTasksClient.createTask(CloudTasksClient.java:1258)
at com.google.cloud.tasks.v2.CloudTasksClient.createTask(CloudTasksClient.java:1241)
at gcp.storage.services.ExternalURLGenService.lambda$createTask$0(ExternalURLGenService.java:94)
Further, to check whether the account has all the roles assigned, we enabled all the cloud apis on the instance and tried running the app again, and we were successful.
Can anyone please tell me, what additional scope i should assign to my instance?
As a homework, i have checked the documentation, only 2 scopes are mentioned to be provided. i.e.
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/cloud-tasks
Now, i have already given cloud-tasks scope to my instance. However, scope cloud-platform is equivalent to enable all google api's which I do not want.
Upvotes: 1
Views: 1050
Answers (1)
Reputation: 76018
The scope is a legacy way to control the access. Today, and even if the scope is correct, the accesses are checks with IAM services.
Proof of this, if you use a custom service account with Compute Engine, you can't select scope, you can only select scope with the default service account of Compute Engine.
So, no worries, you can allow the full scope of Cloud Platform. But, you need to remove the Editor role of the compute engine default service account. And only grant the required permission.
If you use the Compute Engine default service account with other products, create a new service account and add it to your Compute Engine. At this moment, no longer scope, only IAM role to grant.
Upvotes: 2
Related Questions
- Google Cloud Tasks cannot authenticate to Cloud Run
- Cloud Task Creation : Error: 3 INVALID_ARGUMENT: Request contains an invalid argument
- The principal (user or service account) lacks IAM permission "cloudtasks.tasks.create" for the resource
- DEADLINE_EXCEEDED while adding tasks to Google Cloud Tasks
- Cloud Functions / Cloud Tasks UNAUTHENTICATED error
- What is the right way to authenticate to the GCP Cloud Tasks enqueue API?
- cloudtasks.CreateTask fails: `lacks IAM permission "cloudtasks.tasks.create"` even though my account has that permission
- PERMISSION_DENIED 403 error when triggering HTTP Cloud Function from Cloud Tasks
- Failed to authenticate to Cloud IAP Backend from Cloud Tasks HTTP Request
- Cloud Tasks - Create Task - Error: No connection established, code: 14