gcloud.exceptions.Forbidden: 403 Missing or insufficient permissions

Question

I am a new to Google Cloud Platform. I have setup a Google VM Instance. I am facing an authentication issue on Local Machine while running the command:

python manage.py makemigrations

Can you please suggest some tips/steps to resolve the same ?

Error Trace

  File "/constants.py", line 18, in <module>
    table_data = datastore_fetch(project_id, entity_kind)
  File "/datastore_helper.py", line 23, in datastore_fetch
    results = list(query.fetch())
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/query.py", line 463, in __iter__
    self.next_page()
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/query.py", line 434, in next_page
    transaction_id=transaction and transaction.id,
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 286, in run_query
    _datastore_pb2.RunQueryResponse)
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 124, in _rpc
    data=request_pb.SerializeToString())
  File "/venv/local/lib/python2.7/site-packages/gcloud/datastore/connection.py", line 98, in _request
    raise make_exception(headers, error_status.message, use_json=False)
gcloud.exceptions.Forbidden: 403 Missing or insufficient permissions.

Other Info:

gcloud auth list
Credentialed Accounts:
 - [email protected] ACTIVE
To set the active account, run:
    $ gcloud config set account `ACCOUNT`

gcloud config list
Your active configuration is: [default]

[core]
account = [email protected]
disable_usage_reporting = True
project = user_project

Input: (Standalone Python Function)

from gcloud import datastore
client = datastore.Client('user_project')

print(vars(client.connection.credentials))

Output:

{'scopes': set([]), 'revoke_uri': 'https://accounts.google.com/o/oauth2/revoke', 'access_token': None, 'token_uri': 'https://www.googleapis.com/oauth2/v4/token', 'token_info_uri': None, 'token_response': None, 'invalid': False, 'refresh_token': u'1/t-V_pZicXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'client_id': u'3XXXXXXXX9.apps.googleusercontent.com', 'id_token': None, 'client_secret': u'ZXXXXXXXXXXXXXXXXXXX2', 'token_expiry': None, 'store': None, 'user_agent': 'Python client library'}

VM Details

Firewalls
Allow HTTP traffic 
Allow HTTPS traffic

Availability policies
Preemptibility  Off (recommended)

Automatic restart   
On (recommended)

On host maintenance 
Migrate VM instance (recommended)

Custom metadata
None

SSH Keys
Block project-wide SSH keys
None

Service account
service-account@user_project.iam.gserviceaccount.com

Cloud API access scopes
This instance has full API access to all Google Cloud services.

Thanks,

Answer 1

The behavior for application default credentials has changed in gcloud since version 128.

One should use

gcloud auth application-default login

instead.

Note that changing credentials via gcloud auth login or gcloud init or gcloud config set account MY_ACCOUNT will NOT affect application default credentials, they managed separately from gcloud credentials.

Answer 2

Just ran these two commands:

 1. gcloud beta auth application-default login
 2. export GOOGLE_APPLICATION_CREDENTIALS='/<path_to_json>/client_secrets.json'

from local machine and it started working.