Google cloud: insufficient authentication scopes

5/10/2018

I am having difficulties sending requests to my spring boot application deployed in my Google Cloud Kubernetes cluster. My application receives a photo and sends it to the Google Vision API. I am using the provided client library (https://cloud.google.com/vision/docs/libraries#client-libraries-install-java) as explained here https://cloud.google.com/vision/docs/auth:

If you're using a client library to call the Vision API, use Application Default Credentials (ADC). Services using ADC look for credentials within a GOOGLE_APPLICATION_CREDENTIALS environment variable. Unless you specifically wish to have ADC use other credentials (for example, user credentials), we recommend you set this environment variable to point to your service account key file.

On my local machine everyting works fine, I have a docker container with an env. varialbe GOOGLE_APPLICATION_CREDENTIALS pointing to my service account key file.

I do not have this variable in my cluster. This is the response I am getting from my application in the Kubernetes cluster:

{
    "timestamp": "2018-05-10T14:07:27.652+0000",
    "status": 500,
    "error": "Internal Server Error",
    "message": "io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request had insufficient authentication scopes.",
    "path": "/image"
}

What I am doing wrong? Thx in advance!

-- Jdruwe
google-cloud-platform
google-vision
kubernetes

3 Answers

5/11/2018

Will it help if you add GOOGLE_APPLICATION_CREDENTIALS environment variable to your deployment/pod/container configuration?

Here is an example of setting environment variables described in Kubernetes documentation:

apiVersion: v1
kind: Pod
metadata:
  name: envar-demo
  labels:
    purpose: demonstrate-envars
spec:
  containers:
  - name: envar-demo-container
    image: gcr.io/google-samples/node-hello:1.0
    env:
    - name: DEMO_GREETING
      value: "Hello from the environment"
    - name: DEMO_FAREWELL
      value: "Such a sweet sorrow"
-- VAS
Source: StackOverflow

5/10/2018

That means you are trying to access a service that is not enabled or authenticated to use. Are you sure that you enabled the access to Google vision ?

You can check/enable API's from Dashboard at https://console.cloud.google.com/apis/dashboard or Navigate to APIs & Services from Menu

-- ExtractTable.com
Source: StackOverflow

5/11/2018

I also had to specify the GOOGLE_APPLICATION_CREDENTIALS environment variable on my GKE setup, these are the steps I completed thanks to How to set GOOGLE_APPLICATION_CREDENTIALS on GKE running through Kubernetes:

1. Create the secret (in my case in my deploy step on Gitlab):

kubectl create secret generic google-application-credentials --from-file=./application-credentials.json

2. Setup the volume:

...
volumes:
- name: google-application-credentials-volume
  secret:
    secretName: google-application-credentials
    items:
    - key: application-credentials.json # default name created by the create secret from-file command
      path: application-credentials.json

3. Setup the volume mount:

spec:
  containers:
  - name: my-service
    volumeMounts:
    - name: google-application-credentials-volume
      mountPath: /etc/gcp
      readOnly: true

4. Setup the environment variable:

spec:
  containers:
  - name: my-service
    env:
    - name: GOOGLE_APPLICATION_CREDENTIALS
      value: /etc/gcp/application-credentials.json
-- Jdruwe
Source: StackOverflow