How to properly configure a Service Account in Google AppEngine Flex w/ Python?

How to properly configure a Service Account in Google AppEngine Flex w/ Python?



I am using Google AppEngine (GAE) Flexible environment with a custom runtime (python2.7). I am using custom so I can just manage a Dockerfile and have easy parity between my laptop and when deployed in GAE.



I have a python 2.7 Flask app that is doing a query against DataStore. I get the following (when starting python main.py in my local docker):


python main.py


root@24dcf9b8712d:/home/vmagent/app# curl localhost:5000/things
'/home/vmagent/app/clientid-searchapp.json'
[2018-09-04 14:54:19,969] ERROR in app: Exception on /things [GET]
Traceback (most recent call last):
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 2292, in wsgi_app
response = self.full_dispatch_request()
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1815, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1718, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1813, in full_dispatch_request
rv = self.dispatch_request()
File "/env/local/lib/python2.7/site-packages/flask/app.py", line 1799, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "main.py", line 55, in products
for rec in query.fetch(limit=100):
File "/env/lib/python2.7/site-packages/google/api_core/page_iterator.py", line 199, in _items_iter
for page in self._page_iter(increment=False):
File "/env/lib/python2.7/site-packages/google/api_core/page_iterator.py", line 230, in _page_iter
page = self._next_page()
File "/env/local/lib/python2.7/site-packages/google/cloud/datastore/query.py", line 517, in _next_page
query=query_pb,
File "/env/local/lib/python2.7/site-packages/google/cloud/datastore_v1/gapic/datastore_client.py", line 294, in run_query
request, retry=retry, timeout=timeout, metadata=metadata)
File "/env/lib/python2.7/site-packages/google/api_core/gapic_v1/method.py", line 139, in __call__
return wrapped_func(*args, **kwargs)
File "/env/lib/python2.7/site-packages/google/api_core/retry.py", line 260, in retry_wrapped_func
on_error=on_error,
File "/env/lib/python2.7/site-packages/google/api_core/retry.py", line 177, in retry_target
return target()
File "/env/lib/python2.7/site-packages/google/api_core/timeout.py", line 206, in func_with_timeout
return func(*args, **kwargs)
File "/env/lib/python2.7/site-packages/google/api_core/grpc_helpers.py", line 56, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "/env/local/lib/python2.7/site-packages/six.py", line 737, in raise_from
raise value
PermissionDenied: 403 Missing or insufficient permissions.
127.0.0.1 - - [04/Sep/2018 14:54:19] "GET /things HTTP/1.1" 500 -
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>



Snippets from main.py


main.py


app = Flask(__name__)
ds = datastore.Client()
<snip>
@app.route("/things")
def things():
global ds
pprint(os.environ['GOOGLE_APPLICATION_CREDENTIALS'])
query = ds.query(kind='Things', order=('thing_name',))
results = list()
for rec in query.fetch(limit=100):
results.append(rec)
return jsonify(results)



Output of gcloud auth list:


gcloud auth list


root@24dcf9b8712d:/home/vmagent/app# gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* <myapp>@<project-name>.iam.gserviceaccount.com



This is the configured service account. I have over-privileged it with excessive Role membership; I'm pretty certain the service account isn't lacking in permissions. In fact, it has 'DataStore Owner'



In main.py I am outputting:
pprint(os.environ['GOOGLE_APPLICATION_CREDENTIALS'])


main.py



And this outputs the path to my client-<myapp>.json file for the service account. It is the same file supplied in the Dockerfile as:


client-<myapp>.json


Dockerfile


RUN gcloud auth activate-service-account --key-file=clientid-<myapp>.json --project <project-name> --quiet



I get the same results when running the Flask app in my local Docker environment and when I deploy to GAE Flexible. The Flask app has other endpoints that work as they don't call any other services. Only /things uses an API to call DataStore and it receives the above error.


/things



I've been through all the docs. I'm sure it's something basic and obvious but afaict, everything looks right.



UPDATE:
I've tried creating the DataStore client with an explicit pass of project name with no change in result. Also, I've run this command from within the Docker container and this seems like unusual output to me but I don't know that it's incorrect for a Service Account.


root@e02b74cd269d:/home/vmagent/app# gcloud projects list
API [cloudresourcemanager.googleapis.com] not enabled on project
[<project id>]. Would you like to enable and retry (this will take a
few minutes)? (y/N)? y



When I respond w/ Y,:


ERROR: (gcloud.projects.list) PERMISSION_DENIED: Not allowed to get project settings for project <project id>



Output of gcloud config list:


gcloud config list


root@d18c83cae166:/home/vmagent/app# gcloud config list
[core]
account = <myapp>@<myproject>.iam.gserviceaccount.com
disable_usage_reporting = False
project = <myproject>

Your active configuration is: [default]





Is the path to the default credentials correct? Can you do something like print(open(os.environ['GOOGLE_APPLICATION_CREDENTIALS']).read()) and see the contents of the file?
– Dustin Ingram
Sep 4 '18 at 15:30


print(open(os.environ['GOOGLE_APPLICATION_CREDENTIALS']).read())





Hi @DustinI.Yes, I just tried that and it did print the contents of the json file to STDOUT. Good idea, though--it was a better way to confirm.
– Erik Nord
Sep 4 '18 at 15:34





Have you tried passing the project parameter to datastore.Client()?
– Dustin Ingram
Sep 4 '18 at 16:05


project


datastore.Client()





Another great idea, @Dustin. I've updated the question above with some new information, but this change had no effect.
– Erik Nord
Sep 4 '18 at 17:16





What's the output of gcloud config list inside the container?
– Dustin Ingram
Sep 4 '18 at 17:52


gcloud config list




0



Thanks for contributing an answer to Stack Overflow!



But avoid



To learn more, see our tips on writing great answers.



Some of your past answers have not been well-received, and you're in danger of being blocked from answering.



Please pay close attention to the following guidance:



But avoid



To learn more, see our tips on writing great answers.



Required, but never shown



Required, but never shown




By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

𛀝𛂎𛃩𛁂𛂯𛀋𛃈,𛁴,𛀡𛃕𛁀𛀆𛀝𛀊𛀚𛃍𛂯𛂸𛁞𛂪𛀈,𛂵,𛀞𛂢𛀯𛃂𛁱 𛃩𛂜𛃅 𛂧𛀧𛂦𛀑,𛃛𛃟,𛃍𛀔𛀣𛀶𛀪𛃱𛀓𛀅𛁱,𛂖 𛁷 𛁉𛂹𛀉𛀼 𛁎,𛃭 𛀣𛃫𛃯𛁸𛂸𛂰𛂣𛀯𛁩𛂂𛃓𛃿𛂽𛃤𛃢𛁂𛀺 𛂚𛀅𛃵𛁬𛃽𛃯𛂔𛃣𛃝𛂫 𛂖𛂾𛂈 𛂡𛁔𛀇𛁁𛃛𛃖 𛃜,𛁊𛂠𛀌𛁼𛃶𛃣𛃊𛀘𛂐𛃓𛃛𛁂𛂥𛃛𛂲,𛃄𛀗𛀪𛁘𛁉𛁫𛀲𛀕𛂍𛁓𛁏𛃿𛃔𛁼 𛀞𛀤 𛂏𛃚𛃎 𛃱𛀭𛀟𛂃𛀭𛀫𛃚 𛂻𛁄 𛃚𛂁 𛂀𛂈𛃒𛁼𛃏𛂣𛂔,𛁩𛂝,𛁎,𛂗,𛂧𛃁𛃷𛁜𛃭𛂙𛂣𛀱𛂢𛁔𛁥𛂘𛃏𛀇𛂅𛁗𛃅𛂷𛃬𛁹𛁭,𛀵𛁍,𛃂𛁣𛁡𛃉𛀳𛀜𛁢 𛀲 𛁐𛀊𛁷𛃃𛃔𛀃𛃄𛃙𛀩𛃖𛂮𛃷𛀚𛂚𛃜𛁘,𛁤𛁵𛀝𛂮𛁲𛃸𛂩𛂼𛂠,𛁖𛃸𛀯,𛁰𛁇𛃣,𛃨𛂦𛀫𛃁 𛂓𛃁𛃥𛃰𛁅𛂻𛂻 𛁃𛁺𛃤𛀏 𛃻𛃽 jKH8N2gXPW4,5NtI,zi C6C,8 LtJ9 h5T40,Y 29W,8IH3pJwKf Q32PJw73ZM7a 7,0EI,5Hu NBOF x,V,Zan l 51Vm,1,o6 zHC69UbfzB6dS62,fvHKgJsOHeC 7 u Z,5,b510gw756DJ0K3 NLBCejw,1s12o037 gLrqm,8JV5,0HH7y8,5n1W5 oN943 0,EdU7tbRJ74 8DXtjBp0,KnM,2S,8 V4Ph1H2 Yb6FxtA,M,3qXGu2094wS GvlV4l,HFrZ D76u3,kr9E,ij4jFFOb 49,dJKN,V Kv,V4,a8wm,d2U8 9,Nx,vO98,JX,uO3,Y,Y1ay74uomg,7Tt5XFU TKTZ28,0C7LbNuU FhgfO3,4n E,l MSI03CLgM9D,Abr E 7sR0J,6,07N A2u 7,6Q PpzEZ1wKZN YAd759p,31UtJ63dBF3p 0,EZL 4FjbJ l Qep zHs63,u2f6xSKS Vz2Q O,9zIlq0J 9PR
Read more

Edmonton

Image
Clash Royale CLAN TAG #URR8PPP This article is about the city in Canada. For other uses, see Edmonton (disambiguation). City in Alberta, Canada Edmonton City City of Edmonton From top left: Downtown Edmonton, Fort Edmonton Park, Legislature Building, Law Courts, Rogers Place, High Level Bridge, Muttart Conservatory Flag Coat of arms Logo Nickname(s):  Canada's Festival City, City of Champions, The Oil Capital of Canada more... [1] Motto(s):  Industry, Integrity, Progress Edmonton Location of Edmonton in Canada Show map of Canada Edmonton Edmonton (Alberta) Show map of Alberta Coordinates: 53°32′N 113°30′W  /  53.533°N 113.500°W  / 53.533; -113.500 Coordinates: 53°32′N 113°30′W  /  53.533°N 113.500°W  / 53.533; -113.500 Country Canada Province Alberta Region Edmonton Metropolitan Region Census division 11 Founded 1795 Incorporated [2] [3]    • Town January 9, 1892  • City October 8, 1904 Amalgamated [2] February 12, 1912 Named for Edmonton, London Government  • Mayor Don I
Read more

Crossroads (UK TV series)

Image
[dummy-text] Crossroads (UK TV series) From Wikipedia, the free encyclopedia Jump to navigation Jump to search For other uses, see Crossroads (disambiguation). "Crossroads Motel" redirects here. For the album by the Sonny Moorman Group, see Crossroads Motel (album). Crossroads 2003 title sequence Created by Hazel Adair Peter Ling Written by Michala Crees Ivor Jay Rosalie Grayson Raymond Bowers David Garfield Edward F. Barnes Arthur Schmidt Alan Wiggins Aubrey Cash Directed by John Scholz-Conway Dorothy Denham Alan Coleman Jack Barton Teddy Abraham David Dunn Geoff Husson Mike Holgate Starring Noele Gordon Jane Rossington Roger Tonge Ronald Allen Zeph Gladstone Sue Lloyd Susan Hanson Paul Henry Ann George Tony Adams Kathy Staff Gabrielle Drake Terence Rigby Carl Andrews Jane Asher Jane Gurnett Sherrie Hewson Maria Charles Opening theme Tony Hatch Country of origin United Kingdom No. of episodes Original Series: 4510
Read more