403 "Request had insufficient authentication scopes" during gcloud container cluster get-credentials

3/10/2016

From a VM in GCE, I did the following

gcloud auth activate-service-account --key-file <blah>
# "blah" is a service account key file (JSON) I generated from the web interface
gcloud config set project <project-name>
gcloud config set compute/zone <zone-name>
gcloud set container/cluster <cluster-name>

Then when I tried to run

gcloud container clusters get-credentials <cluster-name>

and it failed with the error message:

Error message: "ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Request had insufficient authentication scopes."

The VM is on the same network as the GKE cluster. I tried the same thing, with the same service account key file from a machine outside GCE, against a GKE cluster on the "default" network and it succeeded...

-- Shanqing Cai
google-cloud-platform
google-kubernetes-engine

3 Answers

3/11/2016

To use the Google Kubernetes Engine API from a GCE virtual machine you need to add the cloud platform scope ("https://www.googleapis.com/auth/cloud-platform") to your VM when it is created.

-- Robert Bailey
Source: StackOverflow

12/15/2018

If you are using The Google Kubernetes Engine API from a VM in GCP. You first need to add required scope at vm level https://www.googleapis.com/auth/projecthosting,cloud-platform. This can be done by GCP console as well. Stop the VM instance then go to edit option and at the end you will find Cloud API access scopes.

-- Abhishek Srivastava
Source: StackOverflow

6/13/2019

Step 1 : gcloud init

Step 2 : Select [2] Create a new configuration

Step 3 : Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account

Step 4 : Choose the account you would like to use to perform operations for this configuration:[2] Log in with a new account

Step 5 : Do you want to continue (Y/n)? y

Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account

Step 7 : Copy the verification code provided by google after login and paste it in to the console.

Step 8 : Pick cloud project to use:

Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y

Step 10 : Please enter numeric choice or text value (must exactly match list item): 8

Your Google Cloud SDK is configured and ready to use!

Once this is done, make sure the service account configured for the VM has permissions to do the required tasks.

-- Robin Varghese
Source: StackOverflow