google-cloud-platformcertbotgoogle-cloud-dnscertbot-dns-plugin

Google Cloud DNS with Certbot (Wildcard) Giving Permission Issues


I am trying to issue certificates including a wildcard using Certbot. The instructions for google-dns are clear, but I am stuck on the permissions and getting the following permission issue.

Encountered 403 Forbidden with reason "insufficientPermissions"
Encountered 403 Forbidden with reason "insufficientPermissions"
Error finding zone. Skipping cleanup.
Encountered error finding managed zone: <HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/example/managedZones?dnsName=example.com.&alt=json returned "Request had insufficient authentication scopes.". Details: "[{'message': 'Insufficient Permission', 'domain': 'global', 'reason': 'insufficientPermissions'}]">

I've added DNS Admin role to my DNS Zone Permissions and DNS Reader role to my Project IAM Permissions under the principle of my main email for the account. What is going on?


Solution

  • Most likely you are not using the credentials that you think you are.

    By default, the plugin will use ADC (Application Default Credentials) that are set up by the CLI gcloud. You might not have set up those credentials with the correct account.

    Run the command gcloud auth application-default login and try again.

    Your other option is to use the plugin command flag --dns-google-credentials to specify the service account JSON key file.