google cloud: service account permissions

Question

Task: I want to store all logs from my local computer to the google logs.

The problem I faced is that I cannot create a service account with correct permissions. Even if I will give owner permission still getting I'm permission denied error (ACCESS_TOKEN - its token from account json key):

cat data.json | http POST 
"https://logging.googleapis.com/v2/entries:write"
Authorization:"Bearer $ACCESS_TOKEN"

Response:
    {
"error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Currently, I have set: and it still not working.

While debugging I decided to use the personal account with that type of access:

And request with a token from my account works perfectly fine:

$ cat data.json | http POST 
"https://logging.googleapis.com/v2/entries:write"
Authorization:"Bearer `gcloud auth application-default print-access-token`"


HTTP/1.1 200 OK
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Cache-Control: private
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Sun, 23 Dec 2018 21:38:05 GMT
Server: ESF
Transfer-Encoding: chunked
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

{}

But if I'm using exported stackdriver-station-1.json credentials-file with golang/nodejs app I'm getting permission denied error:

the same example using a console and ACCESS_TOKEN generated from exported json file:

$ cat data.json | http POST
"https://logging.googleapis.com/v2/entries:write"
Authorization:"Bearer $ACCESS_TOKEN"

HTTP/1.1 403 Forbidden
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
Cache-Control: private
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Sun, 23 Dec 2018 22:39:51 GMT
Server: ESF
Transfer-Encoding: chunked
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

{
"error": {
    "code": 403,
    "message": "The caller does not have permission",
    "status": "PERMISSION_DENIED"
  }
}

Any suggestions are welcome! For me, it seems like I'm missing some fundamental part of the google cloud permissions. Like I need to put some check mark in the cloud interface or something like that.

You are includig a lot of information that does not help. However, you need to edit your question to fix: 1) Do not include links to outside sources. Do not include pictures. Include all information in the body of your question as text. 2) Include the program code and show how you are loading and using the service account credentials. 3) Remove the sections of your question that work. That just clutters the question. — John Hanley
Thanks for the suggestion. cat data.json | http POST "logging.googleapis.com/v2/entries:write" Authorization:"Bearer $ACCESS_TOKEN" fails even if account have owner permission — Vlad
You still have pictures, no source code, where does $ACCESS_TOKEN come from, etc. Too many missing pieces to your problem. Please reread my comment if you would like help. — John Hanley
Well, that's a problem - for explain what is ACCESS TOKEN and how do I got it I need to write down all this additional information Since some part of the configuration, I did from web admin I included that as pictures + I cannot copy and paste any info from the machine i'm working on so I made a screenshot of what i'm getting — Vlad

user2523216 user2523216 · Accepted Answer · 2020-02-07T15:37:17

I'm facing the same problem and my conclusion is that the stackdriver API does not support access with an API Key only, even though you can create a API Key for several stackdriver roles.

You need to set up a Service Account and use the OAuth process. This may be tricky, when the access token needs to be renewed regularly.

https://developers.google.com/identity/protocols/OAuth2ServiceAccount

google cloud: service account permissions

2 Answers