How to solve a logging problem on GKE responsed "403 unauthorized"

12/28/2018

I'm developing an application on GKE in which has a logging-function with stack-driver logging.

Now I'm encountering a problem as described below.

【logs】

https://logging.googleapis.com/v2/entries:write?alt=json returned "User unauthorized to access 209122328335">

log referring above is outputted here(★).

    def __logging_v1(self):
        def create_service():
            from oauth2client.client import GoogleCredentials
            credentials = GoogleCredentials.get_application_default()

            print(credentials.service_account_email) # ☆

            from googleapiclient import discovery
            return discovery.build('logging',
                                   'v2', 
                             discoveryServiceUrl=discovery.V2_DISCOVERY_URI, 
                                   credentials=credentials,
                                   cache_discovery=False)

        body = self.__get_body()
        req = create_service().entries().write(body=body)

        try:
            req.execute()
        except Exception as err:
            # for system-log to detect an abnormality
            print('StackDriver AlertTag')
            print(err) # ★Here

On a point(☆), I confirmed that a service-account, which is mounted on a container as a sercret-key and has some roles(■1) set by IAM, is designated.

■1

App Engine manager
BigQuery manager
Stackdriver Debugger agent
Stackdriver Profiler agent
Cloud SQL manager
Cloud Taskmanager
Cloud Trace manager
Compute manager
Cloud Datastore index manager
Cloud Datastore oner
Error Reporting manager
Logging manager
Monitoring manager
Pub/Sub manager
Service Management manager
Service controller
Source Repository manager
Stackdriver Account editer
Storage manager

Other conditions:

1) Valid API Service

Compute Engine API
Stackdriver Logging API
Stackdriver Monitoring API
BigQuery API
Cloud Build API
Cloud Datastore API
Cloud Firestore API
Cloud OS Login API
Cloud Pub/Sub API
Cloud Source Repositories API
Cloud SQL
Compute Engine Instance Group Manager API
Container Registry API
Firebase Rules API
Google Cloud APIs
Google Cloud Deployment Manager V2 API
Google Cloud DNS API
Google Cloud Memorystore for Redis API
Google Cloud Storage
Google Cloud Storage JSON API
Google Compute Engine Instance Group Updater API
Google Compute Engine Instance Groups API
Kubernetes Engine API
Service Management API
Service Usage API
Stackdriver API
Stackdriver Debugger API
Stackdriver Profiler API
Stackdriver Provisioning Service Private 
Stackdriver Trace API

2) Cluster Settings

Stackdriver Logging **Valid**
Stackdriver Monitoring **Valid**

3) Same Source & Same Condition on Another Project

Above error-log doesn't appear, and logging exactly works.

◆1

oauthScopes:
  - https://www.googleapis.com/auth/cloud-platform
  serviceAccount: default
nodeIpv4CidrSize: 24
nodePools:
- autoscaling:
    enabled: true
    maxNodeCount: 3
  config:
    diskSizeGb: 100
    diskType: pd-standard
--
    oauthScopes:
    - https://www.googleapis.com/auth/cloud-platform
    serviceAccount: default
  initialNodeCount: 2
  instanceGroupUrls:
  - https://www.googleapis.com/****
  management:
    autoRepair: true
  name: default-pool
  selfLink:
        https://container.googleapis.com/****
  status: RUNNING
-- Delta
google-kubernetes-engine
http-status-code-403
logging

1 Answer

1/18/2019

Resolution: Use a service account issued with no-restriction as a resource. In detail, when issuing a service account, there is no settings on step-3(Grant access to users or groups that need to perform actions as this service account. ). On the step, a restriction to use the service account for some users can be set

By @Delta

-- Patrick W
Source: StackOverflow