google-cloud-platformgoogle-analyticsgoogle-analytics-api

Why is the Google Analytics Admin API API ignoring the "gcloud auth activate-service-account" configuration?


This is the only API I've seen behave like this.

Setting export GOOGLE_APPLICATION_CREDENTIALS=mykey works but doing gcloud auth activate-service-account --key-file=mykey and then executing my code I see a perms error:

google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
domain: "googleapis.com"
metadata {
  key: "service"
  value: "analyticsadmin.googleapis.com"
}
metadata {
  key: "method"
  value: "google.analytics.admin.v1alpha.AnalyticsAdminService.ListAccessBindings"
}
]

This is my code:

client = AnalyticsAdminServiceClient(transport=None)
res = client.list_access_bindings(parent=f"accounts/{account}")

Every other API I use honors activated service accounts. Does this API really only support setting the env var?


Solution

  • This is confusing but the behavior is correct.

    gcloud authentication and Application Default Credentials are similar but distinct.

    See search order for Application Default Credentials.

    Assuming you're running off-cloud, when you unset GOOGLE_APPLICATION_CREDENTIALS, the code's credentials are your user credentials from gcloud auth application-default.

    The error results from these credentials (on Linux: ${HOME}/.config/gcloud/application_default_credentials.json) being insufficient.

    When you run gcloud auth activate-service-account, gcloud (but not your code) is authenticated as the Service Account.

    The solution here, when running off-cloud, is to use GOOGLE_APPLICATION_CREDENTIALS.

    When your code runs on a Google compute service, then you can leave GOOGLE_APPLICATION_CREDENTIALS unset and trust the metadata service to provide the compute service's Service Account credentials to the code.