Reputation: 30684
GoogleCloud: Caller does not have required permission to use project foo
I'm following https://cloud.google.com/vision/docs/quickstart-cli
I've created a Google Cloud account, created a project, enabled Vision API, setup billing.
I now execute the cURL:
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: dragon-ocr-324006" \
https://vision.googleapis.com/v1/images:annotate -d @request.json
I get the response:
{
"error": {
"code": 403,
"message": "Caller does not have required permission to use project dragon-ocr-324006. Grant the caller the Owner or Editor role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=dragon-ocr-324006 and then retry (propagation of new permission may take a few minutes).",
"status": "PERMISSION_DENIED",
"details": [
{
"@type": "type.googleapis.com/google.rpc.Help",
"links": [
{
"description": "Google developer console IAM admin",
"url": "https://console.developers.google.com/iam-admin/iam/project?project=dragon-ocr-324006"
}
]
},
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "USER_PROJECT_DENIED",
"domain": "googleapis.com",
"metadata": {
"consumer": "projects/dragon-ocr-324006",
"service": "vision.googleapis.com"
}
}
]
}
}
What does this mean? Who is the 'caller'?
When I do gcloud auth application-default login it lets me log in as, I guess, root user for my gcloud. And that must be the caller...?
So, I click that link, and get:
Permissions error... great! And now other pages give the same perms-error. So I have to repoint my browser to https://console.cloud.google.com/ and go in manually.
So, both root-user and project-user (if I got that right) have Owner permission.
So what is the problem.
Maybe my local machine doesn't have the updated profile for the project-user?
ok, so rm -rf ~/.config/gcloud and gcloud auth application-default login
Quick test: gcloud auth application-default print-access-token gives me an access token, great!
I rerun my crl.sh script and get the same problem.
Now here's the kicker. I've got another gcloud account I just created today, and if I run it on that one, it completes fine!
So what am I doing wrong on the first account?
Upvotes: 2
Views: 5924
Answers (3)
Reputation: 28938
I encountered a similar problem recently. The issue began when I attempted to log into a different Gmail account via my terminal. Initially, I was linked to a Google Cloud Platform (GCP) account associated with its specific email. Afterward, I switched to another GCP account, using its respective email. Following this change, I attempted to execute the following command:
gcloud auth application-default set-quota-project PROJECT_ID
And then I get the error below:
ERROR: (gcloud.auth.application-default.set-quota-project) User [[email protected]] does not have permission to access projects instance [my-kubernetes-project-546313:testIamPermissions] (or it may not exist): Caller does not have required permission to use project my-kubernetes-project-546313. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=my-kubernetes-project-546313 and then retry. Propagation of the new permission may take a few minutes.
- '@type': type.googleapis.com/google.rpc.Help links:
- description: Google developer console IAM admin url: https://console.developers.google.com/iam-admin/iam/project?project=my-kubernetes-project-546313
- '@type': type.googleapis.com/google.rpc.ErrorInfo domain: googleapis.com metadata: consumer: projects/my-kubernetes-project-546313 service: cloudresourcemanager.googleapis.com reason: USER_PROJECT_DENIED
Here's how I fixed this:
All I had to do was to run the auth login command with the new email using the command below:
gcloud auth login [email protected]
gcloud auth application-default login
References: missing role serviceusage.serviceUsageConsumer
Upvotes: 0
Reputation: 709
I had almost similar kind of issue when I was working on a Cloud Function in VS Code local development.
In my case Application Default Credentials (ADC) was pointing to different service account which didn't had enough permission.
I followed the below steps to resolve this issue:
Executed these commands (locally) in Google Cloud SDK Shell
First list the current configuration to verify the config values
gcloud config list
This will output:[accessibility]
screen_reader = False
[core]
account = <service_account>@appspot.gserviceaccount.com
disable_usage_reporting = True
project = ProjectIdThen I had to run a command to list all Credentialed Accounts
gcloud auth list
This will output the service accounts and an asterisk (*) at the beginning of an account which is active.
If this active service account is different than what is expected then mustactivate the respective service account by running the following command.
gcloud auth activate-service-account <different_service_account>@appspot.gserviceaccount.com --key-file=PATH_TO_SERVICE_ACCOUNT_KEY_FILE
More details can be found here
Then restart the application resolved my issue.
Though this is not exactly the solution for this question, but definitely may help anyone who got into this error.
Upvotes: 0
Reputation: 2217
Bear with me because you asked different questions :)
- First:
Who is the 'caller'? When I do gcloud auth application-default login it lets me log in as, I guess, root user for my gcloud. And that must be the caller...?
It's normal that the error message is not referring a specific caller / identity. In fact, you are using an access token in your curl through gcloud auth application-default print-access-token. Access tokens are used to inform an API that the bearer of the token has been authorised to access the API. It doesn't hold any identity information.
- Second:
That access token has been generated for you based on the credentials, you already setup as default credentials. You get these credentials in 2 ways
you run
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-file.json"But I think you didn't use this since you didn't evoke any key file.you run
gcloud auth application-default login, you had to go through a web flow, and the creadentials are generated and stored under~/.config/gcloud/application_default_credentials.jsonThird:
So, both root-user and project-user (if I got that right) have Owner permission.
ok, so rm -rf ~/.config/gcloud and gcloud auth application-default login
Here I understand that you changed the roles. So the initial role (set of permissions) given to the identity for which you generated the default credentials, was not enough.
- Fourth:
You gave both users a large set of permissions (the Owner role has almost all permissions) Then you regenerated the default credentials.
But it did not work: because as stated in error message : (propagation of new permission may take a few minutes)
- Finally:
When you came back with a new account it did work because he was already set with proper permissions. But if you retry with the old one it will work also, of course if you did not change his Owner role.
Upvotes: 2
Related Questions
- Google Vision API - Project not passed
- Google Cloud Vision API "PERMISSION_DENIED"
- Google Cloud Vision API Permission Denied
- API Key not valid error when trying to access Google cloud vision api
- Google Cloud Vision API - You have no permission to use the requested API
- GCloud Vision API Permission Denied on Second Request
- Error 403 because Google Cloud Vision client points to wrong project
- Google Cloud vision API: "Request had insufficient authentication scopes."
- Google Cloud Vision API 'Request Admission Denied'
- Google Vision API returns PERMISSION_DENIED