SCOPES_WARNING in BigQuery when accessed from a Cloud Compute instance

2
votes

Every time I use bq on a Cloud Compute instance, I get this:

/usr/local/share/google/google-cloud-sdk/platform/bq/third_party/oauth2client/contrib/gce.py:73: UserWarning: You have requested explicit scopes to be used with a GCE service account.
Using this argument will have no effect on the actual scopes for tokens
requested. These scopes are set at VM instance creation time and
can't be overridden in the request.

  warnings.warn(_SCOPES_WARNING)

This is a default micro in f1 with Debian 8. I gave this instance access to all Cloud APIs and its service account is also an owner of a project. I run gcloud init. But this error persists.

Is there something wrong?

1
google-bigquerygoogle-compute-enginegoogle-cloud-platform
Just to confirm, you are using the "--use_gce_service_account" flag with bq, right? Are you specifying any other flags?Michael Sheldon
@MichaelSheldon I don't specify flags. Even simple bq ls ends with a warning. bq help does not.Anton Tarasenko
You must have informed bq of which credentials to use somehow... Are you using application default credentials specified through gcloud auth?Michael Sheldon
@MichaelSheldon I did gcloud init for the default ...-compute@... service account. Besides, bq does work, but each time it mentions this warning.Anton Tarasenko
Thanks for the clarification! I'm not sure this warning is bad or not, as bq requires certain scopes which may or may not have been configured in the container. In your case they clearly are configured correctly. But if they weren't, this warning might help someone debug the situation.Michael Sheldon

1 Answers

4
votes

I noticed that this warning did not appear on an older instance running SDK version 0.9.85, however I now get it when creating a new instance or upgrading the the latest Gcloud SDK.

The scopes warning can be safely ignored, as it's just telling you that the only scopes that will be used are the ones specified at instance creation time, which is the expected behavior of the default GCE service account.

It seems the 'bq' tool doesn't distinguish between the default service account on GCE and a regular service account and always tries to set the scopes explicitly. The warning comes from oauth2client, and it looks like it didn't display this warning in versions prior to v2.0.0.

I've created public issue to track this which you can star to get updates: https://code.google.com/p/google-bigquery/issues/detail?id=557