Google Cloud insufficient auth scope to call cloud function

0
votes

I am trying to call a cloud function which shuts down a VM Instance with: 

gcloud functions call stopInstancePubSub --data '{"data":"<instance data in base64>"}'

This works perfectly fine when I run it from my local machine or from gcloud console. But I need to be able to run it from inside the instance itself and when I try to do that, this is the error that gets thrown: 

ERROR: (gcloud.functions.call) ResponseError: status=[403], code=[Forbidden], message=[Request had insufficient authentication scopes.]

Essentially I want to be able to schedule a script to run daily (it'll run for about 2-3 hours). So I've used cloud scheduler to call the cloud function which starts the script at 12 AM every day, and it works, but I need to be able to shut down the instance (to avoid unnecessary charges being added) after the script finishes running. So, I need to be able to call the function from inside the instance itself.

Any other suggestions to achieve my goal would be highly appreciated.

1
google-cloud-platformgoogle-cloud-functionsgoogle-cloud-pubsubgoogle-cloud-scheduler
What is the service account of your VM and what is its roles?guillaume blaquiere

1 Answers

2
votes

I believe you have to Allow full access to all Cloud APIs on the instance that runs as a service account link.

Then assign the necessary roles to the service account to call the cloud function (roles/cloudfunctions.invoker).

To change scopes, in the Access scopes section, set the appropriate scopes for your needs. As a best practice, specify only the access scopes that your VM instance requires. If you're not sure of the proper access scopes to set, choose Allow full access to all Cloud APIs and then make sure to restrict access by setting IAM roles.