Insufficient Permission with Appengine Flex service account to access Drive folder
I have written an application that uses all the clients/sdks as officially documented. credentials = GoogleCredentials \ .get_application_default() \ .create_scoped('https://www.googleapis.com/auth/drive') drive = discovery.build( 'drive', 'v3', http=self.credentials.authorize(Http()) ) drive.files() \ .get(fileId=file_id) \ .execute() It works perfect in local with a Service Account generated from the panel, but when I deploy the application, the service account within AppEngine flexible environment runs into problems. 17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account. 17:15:04.000 Using this argument will have no effect on the actual scopes for tokens 17:15:04.000 requested. These scopes are set at VM instance creation time and 17:15:04.000 can't be overridden in the request. 17:15:04.000 17:15:04.000 warnings.warn(_SCOPES_WARNING) 17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest 17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token 17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json 17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id#appspot.gserviceaccount.com 17:15:04.000 Traceback (most recent call last): 17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get 17:15:04.000 .execute() 17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper 17:15:04.000 return wrapped(*args, **kwargs) 17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute 17:15:04.000 raise HttpError(resp, content, uri=self.uri) 17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission"> I have checked the permissions and they are all set. The problem is probably due to the "Using this argument will have no effect..." message, that appears when trying to create the scoped credentials.
As you've mentioned in a prior comment, this is a known issue. As described by araf...#google.com, it seems that App Engine instances in the flexible environment assume the credentials of the uderlying GCE VM as the application default credentials. As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications. For anyone affected by this issue or for whom the workaround is ineffective, please post any relevant information on said issue.
Get entities containing specific value - objectify
Google AppEngine ClientId and Client Secrets
Which SDK Version Does Appengine Use in Production
can not figure out relation between yaml and main page handler in google app engine
NoClassDefFoundError when adding new font in iText on AppEngine
Facebook login in Google Cloud Endpoints
To share a local host for go gae?
App-engine: JAX-RS with Jersey no working
Bi-directional one-to-many relationship in google app engine using JPA
How to check if field with value None is stored in datastore or not stored at all?
DeadlineExceededError in self.response.write
Google Drive invalid credentials
Google App Engine endpointscfg.py command starting 1.8.6 does not accept argument -f
Google Checkout Order Report API -> Google Wallet analog?
Access Denied exception when using google-api-java-client
Exception on trying to access the entity using key in GAE datastore