Google Cloud Endpoint 403 Exception

3
votes

I'm trying to deploy Google Cloud Functions behind Cloud Endpoints according to these steps:

https://cloud.google.com/endpoints/docs/openapi/get-started-cloud-functions

I followed the steps exactly like described and added API key authentication to the OpenAPI specification.

When I call the endpoint with the API key I get the following error: INTERNAL:Calling Google Service Control API failed with: 403 and body: \bMPermission 'servicemanagement.services.check' denied for the consumer project.

Is there some additional role I have to add to a service account ? I did not specify a service account when executing gcloud run deploy.

Thank you for your help

2
google-cloud-platformgoogle-cloud-endpoints

2 Answers

5
votes

Just found the solution. Before deploying the endpoint like described in the documentation I had to create a new service account with "Service Controller" role and then using it when deploying:

gcloud run deploy --service-account="..."

2
votes

In addition to Lukas answer:

Cloud Endpoints checks the given API Key via Googles Service Management API "servicemanagement.googleapis.com". This means that the service account calling the service management api needs access to it. In most cases this is the projects standard compute account.

You would need to give it the permissions either via gcloud:

gcloud projects add-iam-policy-binding <project> --member serviceAccount:<project_id>[email protected] --role roles/servicemanagement.serviceController

Or via the clooud console: Service Controller Permission IAM