AppEngine - Remote API returning 401 and too-many-auth

Question

I am trying to connect to an AppEngine instance with the remote API with something like this:

os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = ".../path/to/key"
remote_api_stub.ConfigureRemoteApiForOAuth(
    server.encode('ascii'), path, secure=True
)

Where the path/to/key points to a JSON file created in the Google Cloud (Beta), API Manager -> Credentials -> Add Credentials -> Service Account. The service account "Can edit" per the Permissions panel.

When I run this I get an error like this on the console, corresponding to a 401 (as reported in the App Engine log viewer):

  File "/usr/local/share/app-engine-python/google/appengine/ext/remote_api/remote_api_stub.py", line 768, in ConfigureRemoteApiForOAuth
    rpc_server_factory=rpc_server_factory)
  File "/usr/local/share/app-engine-python/google/appengine/ext/remote_api/remote_api_stub.py", line 835, in ConfigureRemoteApi
    app_id = GetRemoteAppIdFromServer(server, path, rtok)
  File "/usr/local/share/app-engine-python/google/appengine/ext/remote_api/remote_api_stub.py", line 569, in GetRemoteAppIdFromServer
    response = server.Send(path, payload=None, **urlargs)
  File "/usr/local/share/app-engine-python/google/appengine/tools/appengine_rpc_httplib2.py", line 258, in Send
    NeedAuth()
  File "/usr/local/share/app-engine-python/google/appengine/tools/appengine_rpc_httplib2.py", line 234, in NeedAuth
    RaiseHttpError(url, response_info, response, 'Too many auth attempts.')
  File "/usr/local/share/app-engine-python/google/appengine/tools/appengine_rpc_httplib2.py", line 85, in RaiseHttpError
    raise urllib2.HTTPError(url, response_info.status, msg, response_info, stream)
urllib2.HTTPError: HTTP Error 401: Unauthorized Too many auth attempts.

I checked and the correct credentials seem to be set in /google/appengine/ext/remote_api/remote_api_stub.py:760 and should be passed to the remote api.

The app.yaml has the basic setting - remote_api: on under builtins.

This setup works for the local dev_appserver.py, so I am led to believe the problem is on the Google server/cloud settings.

I have tried both authentication schemes in App Engine -> Settings -> Application settings (Google Accounts API and Google Apps domain).

I followed the Google Application Default Credentials as fit as I could, but maybe I missed something?

It is probably also worth noting that from the command line:

$ GOOGLE_APPLICATION_CREDENTIALS=~/path-to-key
    remote_api_shell.py -s APPID.appspot.com --secure APPID

also gives the same 401 exception.

Answer 1

Just encountered this issue and nothing here resolved it. The only thing that worked for me is adding the --secure option to the remote shell command

$APPENGINE/remote_api_shell.py  --secure -s my-app.appspot.com

Answer 2

Ok, so what seemed to be necessary was:

1. Go to the appspot.com admin page.
2. Under Application Settings, enable Cloud Integration
3. Create a new service account in the new cloud console page API Manager (existing service accounts do not seem to work)
4. Switch to remote_api_stub.ConfigureRemoteApiFromServer — on further inspection, it appears that ConfigureRemoteApiForOAuth works fine.

At least after performing the above access works as expected.

I hope others similarly situated find this helpful.

Answer 3

For people using the remote api from the command line (bulkloader.py, remote_api_shell.py etc.), a 401 error might also happen if your appengine cookies are expired.

Try deleting them and authenticating again:

rm ~/.appcfg* gcloud auth login

This could happen in cases where changes made to a Google account force logging out (e.g: enabling 2 factor authentication).