Reputation: 2681
My java application is performing 2 tasks. Listening on pub-sub for new messages and creating cloud tasks. Further, it is using default compute service account which has all the roles asigned. Now, we are running the compute instance with the default service account having below scopes.
serviceAccounts:
- email: ***********[email protected]
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/monitoring.write
- https://www.googleapis.com/auth/pubsub
- https://www.googleapis.com/auth/service.management.readonly
- https://www.googleapis.com/auth/servicecontrol
- https://www.googleapis.com/auth/taskqueue
- https://www.googleapis.com/auth/trace.append
However, during runtime, we are able to consume the messages. But, We are getting below exception during cloud task creation.
com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request had insufficient authentication scopes.
at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:55)
at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:72)
at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:60)
at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.onFailure(GrpcExceptionCallable.java:97)
at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:68)
at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1041)
at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:30)
at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:1215)
at com.google.common.util.concurrent.AbstractFuture.addListener(AbstractFuture.java:724)
at com.google.common.util.concurrent.ForwardingListenableFuture.addListener(ForwardingListenableFuture.java:45)
at com.google.api.core.ApiFutureToListenableFuture.addListener(ApiFutureToListenableFuture.java:52)
at com.google.common.util.concurrent.Futures.addCallback(Futures.java:1014)
at com.google.api.core.ApiFutures.addCallback(ApiFutures.java:63)
at com.google.api.gax.grpc.GrpcExceptionCallable.futureCall(GrpcExceptionCallable.java:67)
at com.google.api.gax.rpc.UnaryCallable$1.futureCall(UnaryCallable.java:126)
at com.google.api.gax.tracing.TracedUnaryCallable.futureCall(TracedUnaryCallable.java:75)
at com.google.api.gax.rpc.UnaryCallable$1.futureCall(UnaryCallable.java:126)
at com.google.api.gax.rpc.UnaryCallable.futureCall(UnaryCallable.java:87)
at com.google.api.gax.rpc.UnaryCallable.call(UnaryCallable.java:112)
at com.google.cloud.tasks.v2.CloudTasksClient.createTask(CloudTasksClient.java:1258)
at com.google.cloud.tasks.v2.CloudTasksClient.createTask(CloudTasksClient.java:1241)
at gcp.storage.services.ExternalURLGenService.lambda$createTask$0(ExternalURLGenService.java:94)
Further, to check whether the account has all the roles assigned, we enabled all the cloud apis on the instance and tried running the app again, and we were successful.
Can anyone please tell me, what additional scope i should assign to my instance?
As a homework, i have checked the documentation, only 2 scopes are mentioned to be provided. i.e.
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/cloud-tasks
Now, i have already given cloud-tasks
scope to my instance. However, scope cloud-platform
is equivalent to enable all google api's which I do not want.
Upvotes: 1
Views: 1049
Reputation: 76000
The scope is a legacy way to control the access. Today, and even if the scope is correct, the accesses are checks with IAM services.
Proof of this, if you use a custom service account with Compute Engine, you can't select scope, you can only select scope with the default service account of Compute Engine.
So, no worries, you can allow the full scope of Cloud Platform. But, you need to remove the Editor role of the compute engine default service account. And only grant the required permission.
If you use the Compute Engine default service account with other products, create a new service account and add it to your Compute Engine. At this moment, no longer scope, only IAM role to grant.
Upvotes: 2