google.api_core.exceptions.Forbidden: 403 Missing or insufficient permissions

Question

Similar issues were submitted but none of the solutions work.

When trying to do this tutorial from the Google Cloud doc, I'm getting the following error when trying to access the datastore:

google.api_core.exceptions.Forbidden: 403 Missing or insufficient 
permissions.

The executed file can be found here.

I did execute the following commands:

gcloud auth application-default login
export GOOGLE_APPLICATION_CREDENTIALS="file.json"

Please note that I'm executing the file on a local computer. The goal is to perform reads/writes on the datastore directly from Google Engine app.

Answer 1

I was also having the same error message when running the tutorial from a local computer. I am using a service account (and not the "gcloud auth application-default login), as this is the preferred approach recommended in the Google tutorials.

However, after a lot of investigation I found that the problem was occurring due an error in Google's documentation (it seems that the documentation is not up-to-date).

Setting up authentication To run the client library, you must first set up authentication by creating a service account and setting an environment variable. Complete the following steps to set up authentication. For more information, see the GCP authentication documentation .

GCP CONSOLECOMMAND LINE In the GCP Console, go to the Create service account key page.

1. GO TO THE CREATE SERVICE ACCOUNT KEY PAGE
2. From the Service account drop-down list, select New service account.
3. In the Service account name field, enter a name . 4. From the Role drop-down list, select Project > Owner.

The error in the documentation, has to do with step 4 of the instructions. In the current implementation of the GCP console, the Role cannot be set directly from the Service Account Key page. Instead, you must go to the "IAM & admin"page to set the 'Owner' role:

In your Google Cloud console select “IAM & admin”->”IAM”

You will see the “ADD” option. This will allow you to set permissions for your new Service Account. Click “ADD”​.

You can then enter the service account and role ('Owner' if you are following the instructions in the tutorial).

The following article "The Missing Guide To Setting Up Google Cloud Service Accounts For Google BigQuery" provides more information. The article is written in the context of BigQuery, but it is equally applicable for Google Datastore :

https://blog.openbridge.com/the-missing-guide-to-setting-up-google-cloud-service-accounts-for-google-bigquery-6301e509b232

Answer 2

You're trying to use two different forms of authentication, which I wouldn't recommend.

From Google's documentation, gcloud auth application-default login is if you want your local application to temporarily use your own user credentials for API access.

When you use export GOOGLE_APPLICATION_CREDENTIALS='file.json', per Google's documentation, you are setting an environment variable to the file.json. This means you will need to create a Service Account, assign the Service Account the proper permissions, create/download a key (which in this case is file.json) and then the environment variable will be in effect when your code is executed.

Since you're just getting started, I would recommend starting out using your Cloud Shell that's available in the Google Cloud Console and using an account that has full Owner rights on your Google Project. This will make it much easier for you to learn the basics (and then you can run it more securely later and/or in production). The Cloud Shell has everything installed and updated.

If you absolutely have to run this Quickstart through a local computer, I'd recommend the first option above: gcloud auth application-default login. You will need to have the Google Cloud SDK installed for your operating system. When you run the command, it should open a browser and you will be prompted to log into your Google Cloud account. That will give you permissions to run the script locally. Hope this helps!