Search code examples
google-cloud-monitoring

Making REST API calls to resource: projects.timeSeries results in 403 when using service accounts


When making a REST API call to https://monitoring.googleapis.com/v3/projects/${projectId}/timeSeries , providing an access token generated from a service account results in a 403 error "This API method requires billing to be enabled". However using a token generated from an actual google account results in a 400 error, which is expected due to invalid arguments. API reference: https://cloud.google.com/monitoring/api/ref_v3/rest/v3/projects.timeSeries/list

The project is not billing enabled. I understand that the error message says that the project must be billing enabled, but why though? Even if the project is not billing enabled, I'm able to make a curl request by using a google account access token, but when using a service account access token, the project suddenly needs to be billing enabled?

TLDR:

Project is not billing enabled, this request results in 400 error(WAI since I'm not passing any valid argmunets)

curl https://monitoring.googleapis.com/v3/projects/${projectId}/timeSeries -H "authorization: Bearer ${google_account_access_token}"

Project is not billing enabled, this request results in 403 error(Why)

curl https://monitoring.googleapis.com/v3/projects/${projectId}/timeSeries -H "authorization: Bearer ${service_account_access_token}"

Have tried giving the service account owner permission and providing wider scopes, this did not work. So far, enabling billing on the project work. but that does not explain why the API works when using as google account access token even if the project's billing is not enabled.

I expect the API to not respond with a 403 error stating that the project needs to be billing enabled, when using a service account access token to authenticate.


Solution

  • As you are getting 403 error "This API method requires billing to be enabled" below scenarios will help you to resolve your issue:

    • Google Cloud has disabled the use of API for free and introduced the mandatory enabling of billing . But this will not work on a free account and billing must be enabled for activation of service. This is also the reason to get a 403 error.

    • The reason you are facing an error currently is because you didn't add 'Billing Account' to the project you have created. You can link your project to a Billing Account in the Billing Projects tab. Once you do so, wait some time.You can enable a Billing here https://console.cloud.google.com/project/_/billing/enable .

    As you are getting 403 error when using service account follow this official doc:

    • The lack of permissions for the service account to access the backend service is typically the cause of the HTTP 403 error. A deployed API has the permissions associated with roles granted to the service account that you used when you created the API config. If you define the API and backend service in the same Google Cloud Project.

    • Ensure the service account has the Editor role, or the role needed to access the backend service.For example, if the backend service is implemented using Cloud Functions, ensure that the service account has the Cloud Function Invoker role assigned to it.

    Refer to this doc for more information about API and billing enable steps and you can also have a glance at the troubleshooting doc for resolving the errors.