Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication without using service account key for Datastore not working on GCE #1020

Closed
richardkazuomiller opened this issue Dec 14, 2015 · 14 comments
Closed

Authentication without using service account key for Datastore not working on GCE #1020

richardkazuomiller opened this issue Dec 14, 2015 · 14 comments
Assignees
@stephenplusplus
Labels
api: datastore Issues related to the Datastore API.

Comments

@richardkazuomiller
Copy link

I have a VM on Google Compute Engine that I'm trying to use to access Datastore but the server rejects the requests. I'm able to fiddle with the datastore on the control panel, so this should be working from the VM but I get ApiError: Unauthorized when trying to access it with gcloud-node. I'm guessing it would work if I used the key file but this issue probably needs fixing.

ApiError: Unauthorized
    at new util.ApiError (/srv/<my-app>/node_modules/gcloud/lib/common/util.js:92:10)
    at Object.parseHttpRespMessage (/srv/<my-app>/node_modules/gcloud/lib/common/util.js:134:33)
    at Request._callback (/srv/<my-app>/node_modules/gcloud/lib/datastore/request.js:813:31)
    at Request.self.callback (/srv/<my-app>/node_modules/request/request.js:198:22)
    at emitTwo (events.js:87:13)
    at Request.emit (events.js:172:7)
    at Request.<anonymous> (/srv/<my-app>/node_modules/request/request.js:1035:10)
    at emitOne (events.js:82:20)
    at Request.emit (events.js:169:7)
    at IncomingMessage.<anonymous> (/srv/<my-app>/node_modules/request/request.js:962:12)
@richardkazuomiller
Copy link
Author

Update: This definitely works with the service account key file, but the automagical option is broken for me.

@stephenplusplus stephenplusplus added api: compute Issues related to the Compute Engine API. auth api: datastore Issues related to the Datastore API. and removed api: compute Issues related to the Compute Engine API. labels Dec 14, 2015
@stephenplusplus
Copy link
Contributor

Thanks for reporting. @jgeewax @jonparrott should an automagical token work with Datastore requests?

@jgeewax
Copy link
Contributor

jgeewax commented Dec 14, 2015

Hey @richardkazuomiller , when you created the GCE machine, did you give it access to Datastore? In the UI you have to (I think) explicitly say "this instance can talk to Datastore auto-magically".

@jgeewax
Copy link
Contributor

jgeewax commented Dec 14, 2015

(@stephenplusplus: If this is the issue, we should add this to the docs on gcloud-common)

@theacodes
Copy link

@stephenplusplus to clarify, yes, the token from the metadata server should work for accessing everything. Provided, of course, that the instance was created with access to the appropriate scopes.

@richardkazuomiller can you tell us the scopes on your machine? You can do gcloud compute instances describe instance-name and it'll be under the serviceAccounts key.

@richardkazuomiller
Copy link
Author

The output is

serviceAccounts:
- email: <my-service-account-id>@developer.gserviceaccount.com
  scopes:
  - https://www.googleapis.com/auth/cloud-platform

Is my understanding that https://www.googleapis.com/auth/cloud-platform should mean the machine has full access to all Cloud APIs including datastore correct?

@dhermes
Copy link
Contributor

dhermes commented Dec 14, 2015

I seem to recall the email scope is needed as well (I don't have the full URI ATM, sorry)

@richardkazuomiller
Copy link
Author

Shouldn't the cloud-platform scope also allow access to that? I created the VM from the control panel with the Allow API access to all Google Cloud services in the same project box checked so if that's not the case I feel like that box should add that scope (´・ω・`)

@theacodes
Copy link

cloud-platform does not include email, some APIs need this scope for the time being.

It's also possible that cloud-platform != devstorage.full_control, so if adding email fails, try explicitly including devstorage.full_control.

@richardkazuomiller
Copy link
Author

Hmm, OK I'll try that but if that's the case I feel like checking the Allow API access to all Google Cloud services in the same project box should add the email scope. Since it's not directly related to this library, maybe this isn't the place to discuss that. If that's disabled for a security reason, then maybe put the scopes you need in the gcloud-node documentation.

@theacodes
Copy link

For datastore, it's very temporary. The next version of the API will not
require it.

On Mon, Dec 14, 2015 at 12:28 PM Ricky Miller notifications@github.com
wrote:

Hmm, OK I'll try that but if that's the case I feel like checking the Allow
API access to all Google Cloud services in the same project box should
add the email scope. Since it's not directly related to this library,
maybe this isn't the place to discuss that. If that's disabled for a
security reason, then maybe put the scopes you need in the gcloud-node
documentation.


Reply to this email directly or view it on GitHub
#1020 (comment)
.

@stephenplusplus
Copy link
Contributor

@richardkazuomiller did this do the trick?

@richardkazuomiller
Copy link
Author

@stephenplusplus Yes, I tried adding the permissions and was able to query Datastore without the key, but since I've already set up my production environment I think I'll be using the service key authentication method for now.

@stephenplusplus
Copy link
Contributor

That makes sense. The docs try to provide some guidance while setting up an instance (https://googlecloudplatform.github.io/gcloud-node/#/authentication), but it's not very helpful if you already have one. I'll close this out, but if you think we can do something better, let us know.

@sofisl sofisl mentioned this issue Jan 17, 2023
Merged
4 tasks
sofisl pushed a commit that referenced this issue Jan 17, 2023
@renovate-bot
chore(deps): update dependency jsdoc-fresh to v2 (#1020)
c011122 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jsdoc-fresh](https://github.com/googleapis/jsdoc-fresh) | [`^1.0.2` -> `^2.0.0`](https://renovatebot.com/diffs/npm/jsdoc-fresh/1.1.1/2.0.0) | [![age](https://badges.renovateapi.com/packages/npm/jsdoc-fresh/2.0.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/jsdoc-fresh/2.0.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/jsdoc-fresh/2.0.0/compatibility-slim/1.1.1)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/jsdoc-fresh/2.0.0/confidence-slim/1.1.1)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>googleapis/jsdoc-fresh</summary>

### [`v2.0.0`](https://github.com/googleapis/jsdoc-fresh/blob/HEAD/CHANGELOG.md#&#8203;200-httpsgithubcomgoogleapisjsdoc-freshcomparev111v200-2022-05-18)

[Compare Source](https://github.com/googleapis/jsdoc-fresh/compare/v1.1.1...v2.0.0)

##### ⚠ BREAKING CHANGES

-   update library to use Node 12 ([#&#8203;108](https://github.com/googleapis/jsdoc-fresh/issues/108))

##### Build System

-   update library to use Node 12 ([#&#8203;108](https://github.com/googleapis/jsdoc-fresh/issues/108)) ([e61c223](https://github.com/googleapis/jsdoc-fresh/commit/e61c2238db8900e339e5fe7fb8aea09642290182))

##### [1.1.1](https://www.github.com/googleapis/jsdoc-fresh/compare/v1.1.0...v1.1.1) (2021-08-11)

##### Bug Fixes

-   **build:** migrate to using main branch ([#&#8203;83](https://www.github.com/googleapis/jsdoc-fresh/issues/83)) ([9474adb](https://www.github.com/googleapis/jsdoc-fresh/commit/9474adbf0d559d319ff207397ba2be6b557999ac))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 9am and before 3pm" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/googleapis/nodejs-vision).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephenplusplus stephenplusplus

Labels
api: datastore Issues related to the Datastore API.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jgeewax @theacodes @dhermes @stephenplusplus @richardkazuomiller