-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloud functions Export/Import - A Forbidden error was returned while attempting to retrieve an access token for the Compute Engine built-in service account. #532
Comments
Greetings! This is a bit of a tricky one. When I try this out for myself, everything seems to work. Can you double check the permissions on the service account you're using to run your cloud function? Is it using the default App Engine service account? |
@JustinBeckwith I'm having the exact same issue and my function uses the default App Engine service account which has the Project Editor role enabled. |
I also this evening spent a while trying to figure out the other variant of this error when running in CloudFunctions:
It took me a while to realise the issue was actually nothing at all to do with the accesstoken : I had actually entered the wrong API url. Fixing that URL solved the problem. It looks like https://github.com/googleapis/google-auth-library-nodejs/blob/master/src/auth/computeclient.ts#L92 is potentially firing on any 403/404 rather than just ones related to getting a token? |
I don't enter the URL manually though, but rather call the export endpoint like this firestore.projects.databases.exportDocuments({
name: `projects/${projectId}/databases/${projectId}`,
requestBody: {"outputUriPrefix": `gs://${backupBucket}`}
}) And I've added these scopes: scopes: [
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/datastore',
'https://www.googleapis.com/auth/compute'
], And as mentioned it works just fine when running the function locally |
I also tried changing the name part to |
@JustinBeckwith I'm having the same issue when running from functions, oddly when I download the json file, set env, and make the same call locally I'm getting "The caller does not have permission" This is using the json key file from the App Engine service account. I've tried using the client.request() method as well as the exportDocuments method within the firestore namespace in googleapis. Both yield the same result. |
@torbjornvatn the PrIoject Editor role, and therefore the default App Engine service account, is not enough to perform backups. Try going into IAM and adding the Cloud Datastore Import Export Admin role to your App Engine service account. This fixed the issue for me. |
Greetings folks! I suspect the problem y'all are running into is independent of this library. It sounds like a case of trying to use an API that the service account doesn't have access to. If you're still running into issues - please do let me know! Otherwise - I'm closing this out for now. |
@JustinBeckwith the root cause is the absence of permissions on the service account, or in my case just using the wrong URL for an API. But per my comment above the problem is that this library at https://github.com/googleapis/google-auth-library-nodejs/blob/master/src/auth/computeclient.ts#L92 discards any error message returned from the API. Instead for all 403 or 404 it just returns a generic message about an error This causes confusion and means the user doesn't see the actual error returned by the API (which I think in the case of a 403 usually mentions the permission that is required). I spent a lot of time trying to debug permissions things before I realised I'd just got a typo in the URL. |
I'll second what @acoulton said. The discarding of any error messages from the API makes mistakes really hard to debug. |
A workaround I found is to use the |
Thanks for sticking with me here folks. I submitted #668, which should do a better job of surfacing the underlying exception. I think this is the last of the exceptions we were eating and not re-throwing in the code base. |
Brilliant, thanks @JustinBeckwith |
I needed the "Cloud Datastore Owner" role in order to get it working |
I am trying to generate a snapshot of my Firestore database, while running the following code inside a Cloud Function, I receive a "Forbidden Error".
From my side, I can't see nothing else in my request that need to be added.
Could someone please clarify what it actually means?
Environment details
google-auth-library
version: 2.0.1The text was updated successfully, but these errors were encountered: