Permissions Cloud Resource Manager API

1
votes

I'm developing an application where I need to create, edit and delete projects from my developer console.

I'm using the Cloud Resource Manager API for this purpose.

OAuth 2.0 is required to make requests to the API so I'm using OAuth2.0 server to server (two-legged OAuth or 2LO)

Once I have the authorization token, I make the request to the API for creating a new project and I am told that I do not have permits: The caller has no permissions.

However, if I request a list of all projects, I get the correct response.

How do I obtain permission?

I followed all the steps to use OAuth 2.0 server to server and have a Google account for Work, the service account has the Owner role and the delegation of the domain.

Thanks!!

1
apigoogle-cloud-platformgoogle-cloud-iam

1 Answers

0
votes

I'm too lazy to manually run the OAuth authentication path, so I always use the old gcloud auth print-access-token trick.

What I do:

  1. Create a service account key file: gcloud iam service-accounts keys create <PATH/TO/YOUR_KEY_FILE>.json --iam-account=<YOUR_SERVICE_ACCOUNT>

  2. Activate that account: gcloud auth activate-service-account <YOUR_SERVICE_ACCOUNT> --key-file=<PATH/TO/YOUR_KEY_FILE>.json

  3. Call the API with your new project: curl -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'content-type:application/json' https://cloudresourcemanager.googleapis.com/v1/projects -d'{"projectId": "<YOUR_PROJECT_ID>", "parent":{"type":"organization","id":"<YOUR_ORG_ID>"}}'

  4. This will return an operation ID that you can query until it finishes: curl -H"Authorization: Bearer $(gcloud auth print-access-token)" https://cloudresourcemanager.googleapis.com/v1/operations/<OPERATION_ID>

This is what I do through a regular shell. You can extrapolate it to any script by using one of Google's auth libraries and setting the env variable GOOGLE_APPLICATION_CREDENTIALS to the path chosen in step 1, as explained in the GCP auth docs. Google's auth libraries will provide you with the access token directly.

For an even easier solution, you can simply use the Cloud Resource Manager client library for your language. You just download the keys file, set the GOOGLE_APPLICATION_CREDENTIALS env variable, and the client will do everything for you. If you're running this script inside GCP (GAE, GCF, GCE, GKE, ...), it's likely that the library can get the credentials directly from the platform, avoiding the need to even create the keys or set any env variable.