google-app-engine


Insufficient Permission with Appengine Flex service account to access Drive folder


I have written an application that uses all the clients/sdks as officially documented.
credentials = GoogleCredentials \
.get_application_default() \
.create_scoped('https://www.googleapis.com/auth/drive')
drive = discovery.build(
'drive',
'v3',
http=self.credentials.authorize(Http())
)
drive.files() \
.get(fileId=file_id) \
.execute()
It works perfect in local with a Service Account generated from the panel, but when I deploy the application, the service account within AppEngine flexible environment runs into problems.
17:15:04.000 /env/lib/python3.4/site-packages/oauth2client/contrib/gce.py:99: UserWarning: You have requested explicit scopes to be used with a GCE service account.
17:15:04.000 Using this argument will have no effect on the actual scopes for tokens
17:15:04.000 requested. These scopes are set at VM instance creation time and
17:15:04.000 can't be overridden in the request.
17:15:04.000
17:15:04.000 warnings.warn(_SCOPES_WARNING)
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/drive/v3/rest
17:15:04.000 INFO:oauth2client.client:Attempting refresh to obtain initial access_token
17:15:04.000 INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json
17:15:04.000 ERROR:root:Failed to retrieve file 0B0K....M1pBNFE. Is it shared with me? project-id#appspot.gserviceaccount.com
17:15:04.000 Traceback (most recent call last):
17:15:04.000 File "/home/vmagent/app/script.py", line 45, in get
17:15:04.000 .execute()
17:15:04.000 File "/env/lib/python3.4/site-packages/oauth2client/util.py", line 135, in positional_wrapper
17:15:04.000 return wrapped(*args, **kwargs)
17:15:04.000 File "/env/lib/python3.4/site-packages/googleapiclient/http.py", line 760, in execute
17:15:04.000 raise HttpError(resp, content, uri=self.uri)
17:15:04.000 googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/drive/v3/files/0B0Kn....M1pBNFE?alt=json returned "Insufficient Permission">
I have checked the permissions and they are all set. The problem is probably due to the "Using this argument will have no effect..." message, that appears when trying to create the scoped credentials.
As you've mentioned in a prior comment, this is a known issue. As described by araf...#google.com, it seems that App Engine instances in the flexible environment assume the credentials of the uderlying GCE VM as the application default credentials.
As a workaround in the meantime, you can use a manually created service account exported as a JSON key stored in your app, as per Using OAuth 2.0 for Server to Server Applications.
For anyone affected by this issue or for whom the workaround is ineffective, please post any relevant information on said issue.

Related Links

Get entities containing specific value - objectify
Google AppEngine ClientId and Client Secrets
Which SDK Version Does Appengine Use in Production
can not figure out relation between yaml and main page handler in google app engine
NoClassDefFoundError when adding new font in iText on AppEngine
Facebook login in Google Cloud Endpoints
To share a local host for go gae?
App-engine: JAX-RS with Jersey no working
Bi-directional one-to-many relationship in google app engine using JPA
How to check if field with value None is stored in datastore or not stored at all?
DeadlineExceededError in self.response.write
Google Drive invalid credentials
Google App Engine endpointscfg.py command starting 1.8.6 does not accept argument -f
Google Checkout Order Report API -> Google Wallet analog?
Access Denied exception when using google-api-java-client
Exception on trying to access the entity using key in GAE datastore

Categories

HOME
windows
xml
kentico
amp-html
zend-framework
toolbox
battery
jelastic
solver
replace
entity-framework-core
carousel
parameters
emscripten
gembox-spreadsheet
retrofit2
trac
opengl-es-3.0
php-5.6
modbus-tcp
scsi
mvc-mini-profiler
easyphp
connector
parcelable
exit
object-storage
direct3d11
dynamically-generated
roundup
windows-server-2003
maze
slidetoggle
has-and-belongs-to-many
android-things
sqsh
userdefaults
paragraph
dumpbin
twos-complement
joomla2.5
python-import
apic
watchman
z-notation
typesafe-config
mongoose-schema
trigonometry
laravel-elixir
sharp-snmp
claims
xmldocument
double-click
proget
magento-2.0.7
colorbar
edit
rxtx
donations
rocks
microstation
x-tag
simevents
lean
cfchart
kango-framework
query-by-example
bizagi
kiosk
yajsw
asyncdisplaykit
xenomai
pax-exam
.bash-profile
snoop
teamcity-9.1
cross-join
mass-assignment
ghcjs
kissfft
tinyxml
cfcache
rfc5322
gd-graph
model-driven-development
mongohq
observium
route-provider
poker
facebook-timeline
fb.ui
josql
stress
box2d-iphone
winmain
mysql-error-1205
nhprof
presentation-layer
commerceserver2007
sun

Resources

Encrypt Message