how to authenticate on a google compute instance?

[jasonswearingen]

From the docs It says that no authentication is needed if running on a google compute instance.

however when I try to access datastore, I get a *_401 unauthorized *_error.

there isn't any error being output, so the best I can do is a blurb i get output from a promise-wrapped callback:

................"code":401,"message":"Unauthorized","response":{"statusCode":401,"body":{"type":"Buffer","data":[73,110,118,97,108,105,100,32,67,114,101,100,101,110,116,105,97,108,115]},"headers":{"vary":"X-Origin, Ori
gin,Accept-Encoding","www-authenticate":"Bearer realm=\"https://accounts.google.com/\", error=invalid_token","content-type":"text/html; charset=UTF-8","date":"Fri, 18 Mar 2016 00:24:22 GMT","expires":"Fri, 18 Mar 2016 00:24:22 GMT","cache-c
ontrol":"private, max-age=0","x-content-type-options":"nosniff","x-frame-options":"SAMEORIGIN","x-xss-protection":"1; mode=block","server":"GSE","alternate-protocol":"443:quic,p=1","alt-svc":"quic=\":443\"; ma=2592000; v=\"31,30,29,28,27,26
,25\"","accept-ranges":"none","connection":"close"},"request":{"uri":{"protocol":"https:","slashes":true,"auth":null,"host":"www.googleapis.com","port":443,"hostname":"www.googleapis.com","hash":null,"search":null,"query":null,"pathname":"/
datastore/v1beta2/datasets/phantomjscloud-20160125/lookup".................

in there I see "invalid_token" also... no other really meaningful info is reported unfortunately.

Is there something I'm missing? in my local dev environment I pass a key in .json format to authenticate and that works great (and works on google compute), but I don't really want to put a read/write key on my production server in case it gets hacked.

[stephenplusplus]

Is it possible the GCE instance wasn't created with the proper scopes granted? Reference doc: https://googlecloudplatform.github.io/gcloud-node/#/docs/v0.29.0/guides/authentication

[jasonswearingen]

I used the console gui to choose the scope parameters, selecting "full api access"
that ended up with a gcloud commandline parameter of:
--scopes 853031807592-compute@developer.gserviceaccount.com="https://www.googleapis.com/auth/cloud-platform"
I'm not sure what that means, but it matches the "All APIs" scope in the link you sent, and checking the console gui, I see this detail regarding permissions in the instance:

Cloud API access scopes
This instance has full API access to all Google Cloud services.

so it looks to be set right....

[stephenplusplus]

Okay, thanks for checking. I'll try to reproduce.

[jasonswearingen]

the problem is still occuring, but in case it helps, here's my full command-line for creating the GCE instance:

FYI I see that there was an update to gcloud gui console, so now instead of explicitly naming the scope account it uses "default".

gcloud compute --verbosity error --project ""phantomjscloud-20160125"" instances create "deploy-pjsc-dashboard-20160318-3" --machine-type "n1-highcpu-2" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/cloud-platform" --tags "http-server","https-server" --image "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1404-trusty-v20160314" --boot-disk-size "15" --boot-disk-type "pd-ssd" --boot-disk-device-name "deploy-pjsc-dashboard-20160318-3" --verbosity error

Also, ironically, I can actually disable using the .json key on my windows dev machine and authentication with the datastore works, I assume because I installed the google-cloud-sdk locally.

also FYI this is my gcloud-node initialization code, In case it matters if I initialize datastore explicitly

let datastore = gcloud({projectId:projectId}).datastore;

[stephenplusplus]

Okay, I've traced down the problem. Datastore requires the userinfo.email scope, which isn't included inside cloud-platform. If you create the instance with the Cloud Datastore and User info scopes added (you'll have to select it manually), bye bye 401!

[stephenplusplus]

Related: #815 (comment)

[jasonswearingen]

fyi i tested this, and userinfo.email scope is not sufficient. you also need datastore scope explicitly defined.

as per the following gcloud command line args:

--scopes default="https://www.googleapis.com/auth/cloud-platform","https://www.googleapis.com/auth/userinfo.email","https://www.googleapis.com/auth/datastore"

[stephenplusplus]

Yes, that's correct. Thanks for bringing this up so we can hopefully avoid the confusion the next time.