gcloud.exceptions.Forbidden：403 权限缺失或不足

Question

我是 Google Cloud Platform 的新手。我已经设置了一个 Google VM 实例。运行命令时，我在本地计算机上遇到了身份验证问题：

python manage.py makemigrations

您能否提出一些解决问题的提示/步骤？

错误追踪

  File "/constants.py", line 18, in <module>
    table_data = datastore_fetch(project_id, entity_kind)
  File "/datastore_helper.py", line 23, in datastore_fetch
    results = list(query.fetch())
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/query.py", line 463, in __iter__
    self.next_page()
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/query.py", line 434, in next_page
    transaction_id=transaction and transaction.id,
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 286, in run_query
    _datastore_pb2.RunQueryResponse)
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 124, in _rpc
    data=request_pb.SerializeToString())
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 98, in _request
    raise make_exception(headers, error_status.message, use_json=False)
gcloud.exceptions.Forbidden: 403 Missing or insufficient permissions.

其他信息：

gcloud auth list
Credentialed Accounts:
 - user_account@gmail.com ACTIVE
To set the active account, run:
    $ gcloud config set account `ACCOUNT`

gcloud config list
Your active configuration is: [default]

[core]
account = user_account@gmail.com
disable_usage_reporting = True
project = user_project

输入：（独立 Python 函数）

from gcloud import datastore
client = datastore.Client('user_project')

print(vars(client.connection.credentials))

输出：

{'scopes': set([]), 'revoke_uri': 'https://accounts.google.com/o/oauth2/revoke', 'access_token': None, 'token_uri': 'https://www.googleapis.com/oauth2/v4/token', 'token_info_uri': None, 'token_response': None, 'invalid': False, 'refresh_token': u'1/t-V_pZicXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'client_id': u'3XXXXXXXX9.apps.googleusercontent.com', 'id_token': None, 'client_secret': u'ZXXXXXXXXXXXXXXXXXXX2', 'token_expiry': None, 'store': None, 'user_agent': 'Python client library'}

虚拟机详细信息

Firewalls
Allow HTTP traffic 
Allow HTTPS traffic

Availability policies
Preemptibility  Off (recommended)

Automatic restart   
On (recommended)

On host maintenance 
Migrate VM instance (recommended)

Custom metadata
None

SSH Keys
Block project-wide SSH keys
None

Service account
service-account@user_project.iam.gserviceaccount.com

Cloud API access scopes
This instance has full API access to all Google Cloud services.

谢谢，

Answer 1

使用本地开发中的数据存储模拟器，我必须根据Datastore and DatastoreClient docs 设置apiEndpoint。对此可能有更优雅的处理，但这解决了代码 7“缺少或不足的权限”。本地开发的错误。 （我在 Datastore 模式下使用 Firestore。）

// nodejs myapp.js excerpt for config change running locally
    if(process.env.DATASTORE_EMULATOR_HOST){
        serviceaccount.apiEndpoint = process.env.DATASTORE_EMULATOR_HOST;
    }
    const datastore = new Datastore(serviceaccount);

$ gcloud beta emulators datastore start --data-dir=./emulator-data/
    ....
    [datastore] API endpoint: http://localhost:8081
    [datastore] If you are using a library that supports the DATASTORE_EMULATOR_HOST environment variable, run:
    [datastore]
    [datastore]   export DATASTORE_EMULATOR_HOST=localhost:8081
    [datastore]
    [datastore] Dev App Server is now running.

$ export DATASTORE_EMULATOR_HOST=localhost:8081 && MYHOST='http://localhost:8111' ndb node myapp.js

Answer 2

只运行这两个命令：

 1. gcloud beta auth application-default login
 2. export GOOGLE_APPLICATION_CREDENTIALS='/<path_to_json>/client_secrets.json'

从本地机器开始工作。

Answer 3

自版本 128 起，应用程序默认凭据的行为在 gcloud 中具有 changed。

应该使用

gcloud auth application-default login

相反。

请注意，通过 gcloud auth login 或 gcloud init 或 gcloud config set account MY_ACCOUNT 更改凭据不会影响应用默认凭据，它们与 gcloud 凭据分开管理。