使用 Google API 时出现身份验证范围不足错误 [英] Insufficient authentication scopes error using Google API

问题描述

我设置了 Google SDK 以将 Google API 与应用程序默认凭据.对于我的本地机器，创建了一个凭据 json 文件并将其路径设置为 GOOGLE_APPLICATION_CREDENTIALS 作为环境变量.这按预期工作没有问题.

I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.

但是，当应用部署到 Google Cloud 虚拟机时，它会抛出以下错误:

However, when the app is deployed to Google Cloud VM, it throws the following error:

[Google_Service_Exception]                                             
{                                                                      
    "error": {                                                           
      "code": 403,                                                       
      "message": "Request had insufficient authentication scopes.",      
      "errors": [                                                        
        {                                                                
          "message": "Request had insufficient authentication scopes.",  
          "domain": "global",                                            
          "reason": "forbidden"                                          
        }                                                                
      ],                                                                 
      "status": "PERMISSION_DENIED"                                      
    }                                                                    
}

根据文档，内置服务帐户应该与虚拟机实例相关联.为了使其工作，我尝试使用凭据 json 文件，就像我在本地机器上所做的那样(工作正常)，但它也不起作用.

According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.

请注意，错误消息与范围有关，但与身份验证问题无关.如何使其在 Compute Engine 虚拟机实例上运行?

To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?

给客户端初始化代码:

$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);

推荐答案

更新

现在支持了.您必须停止实例才能更改 API 范围.https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

Now it is supported. You have to stop instance in order to change API scope. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

原答案

事实证明，我必须为 Google Cloud Console 上的服务启用 Cloud API 访问范围以获取 VM 实例详细信息:https://console.cloud.google.com/compute/instances

It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances

很遗憾，我无法更改它，因为 Google Cloud 目前不支持它.我必须启动一个新实例才能启用服务 API 访问.https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access. https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

这篇关于使用 Google API 时出现身份验证范围不足错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！