使用Google API的认证范围错误不足 [英] Insufficient authentication scopes error using Google API

问题描述

我将Google SDK设置为通过应用程序默认凭据。对于我的本地机器，创建了凭据json文件并将其路径设置为 GOOGLE_APPLICATION_CREDENTIALS 作为环境变量。然而，当应用程序部署到Google Cloud VM时，它会引发以下错误：

  [Google_Service_Exception] 
 {
error：{
code：403，
message ：请求的认证范围不足，
错误：[
 {
message：请求的认证范围不足。，
domain：全球，
原因：禁止
} 
]，
status：PERMISSION_DENIED
} 
} 
  

根据文档，内置服务帐户应该与虚拟机实例相关联。为了使它工作，我试图使用凭据json文件，就像我在本地机器上（它工作正常），但它也没有工作。

要注意，错误消息是关于范围但不是授权问题。如何使它在Compute Engine VM实例上工作？

给客户端初始化代码：

  $ client = new Google_Client（）; 
 $ client-> useApplicationDefaultCredentials（）; 
 $ client-> addScope（Google_Service_Pubsub :: PUBSUB）; 
  

解决方案

事实证明，我必须启用Cloud API访问Google云端控制台上有关VM实例详细信息的服务范围： https://console.cloud.google。 com / compute / instances

不幸的是，我无法改变它，因为Google Cloud暂时不支持它。我不得不启动一个新实例来启用服务API访问。
https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.

However, when the app is deployed to Google Cloud VM, it throws the following error:

[Google_Service_Exception]                                             
{                                                                      
    "error": {                                                           
      "code": 403,                                                       
      "message": "Request had insufficient authentication scopes.",      
      "errors": [                                                        
        {                                                                
          "message": "Request had insufficient authentication scopes.",  
          "domain": "global",                                            
          "reason": "forbidden"                                          
        }                                                                
      ],                                                                 
      "status": "PERMISSION_DENIED"                                      
    }                                                                    
}

According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.

To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?

To give client initialisation code:

$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);

解决方案

It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances

Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access. https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

这篇关于使用Google API的认证范围错误不足的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！