Search code examples
google-cloud-platformauthorizationgcloudservice-accountsscopes

Insufficient Authentication Scopes Error When Using gcloud CLI to Manage Google Cloud VMs

I have a situation with Google Cloud involving two virtual machines:

  • instance1 (Windows Server 2022)
  • instance2 (Windows Server 2019)

My goal is to manage instance2 from instance1 using the gcloud CLI, utilizing the service account [email protected]. To achieve this, I'm attempting to run the following command in the CMD console within instance1:

gcloud compute instances describe instance2 --zone=my-zone --project=my-project

Unfortunately, I'm encountering an error:

ERROR: (gcloud.compute.instances.describe) Could not fetch resource:
 - Request had insufficient authentication scopes.

Strangely, executing the same command on my local PC using the identical service account works without any problems.

Has anyone else encountered a similar problem, and can you provide any insights into what might be causing this "insufficient authentication scopes" error? I would appreciate any suggestions on how to troubleshoot and resolve this issue. Thank you for your help!

Solution

  • Requests had insufficient authentication scopes error can be caused by a number of causes such as insufficient permissions, wrong project or cluster names, and an outdated Google Cloud SDK.

    To fix this error:

    If you are using the cloud console, when creating a VM look for the "Identity and API access" section, and select "Allow full access to all Cloud APIs".

    Steps to follow:

    1. Navigate to the Google Cloud Console: VM instances -> Compute Engine

    2. Clicking the name of an existing VM opens the VM instance details page.

    3. Near the top of the page, click the "Edit" link.

    4. Then, change the Cloud API access scopes to allow complete access to all Cloud APIs.

    • You can't add it to existing VMs, but you can build a new node pool with the scope (so it applies to new VMs), then migrate your workloads to the new node pool and delete the old node pool.

    • For GKE you need to add the scope to the instance template for the managed instance group. You can do it to individual machines, but I still don't think you can do it for groups of machines without creating a new node pool.

    • With a single machine, you may now stop, change scopes, and resume the VM. However, if your virtual machine is part of a managed instance group (managed by GKE or otherwise), I don't believe you can use that approach to modify the scopes, and you will need to construct a new managed instance group with the correct scopes from the beginning.

    To figure out what permissions you have execute

    gcloud projects get-iam-policy PROJECT_ID

    You can also refer to this official doc for the related information.