2

I am running multiple projects that using the same source code (python) on GAE. I am currently trying to include BigQuery functionality in those projects. I have enabled the BigQuery API on all of the projects, successfully imported some data to BigQuery from GCS using the new developers console. I am able to make queries from the GAE app using AppAssertionCredentials from some of the projects but get a 403 "Access Not Configured. The API (BigQuery API) is not enabled for your project. Please use the Google Developers Console to update your configuration." error for others.

tl;dr AppAssertionCredentials with BigQuery fails for some projects, not for others (same source code)

All of the projects have BigQuery API's and billing enabled I followed all the steps from Google App Engine authorization for Google BigQuery

The only difference between the projects is how they where created.

  1. Original project:
    • project_id: project_A
    • service_account: project_A@appspot.gserviceaccount.com
  2. Second project:
    • project_id: project_B
    • service_account: project_B@appspot.gserviceaccount.com
  3. Third project (cloned from poject_A):
    • project_id: project_C
    • service_account: project_A@appspot.gserviceaccount.com

The third project project_C has been created using cloning feature of the old appengine console, that is why it shares the same service account email. This is the project that the AppAssertionCredentials fail for when trying to query BigQuery (although everything works fine when authenticating to GCS with the same credentials)

I have added project_A@appspot.gserviceaccount.com to project_C Permissions list with "Edit" permissions - that didn't help. The service discovery code:

from googleapiclient.discovery import build
from oauth2client.appengine import AppAssertionCredentials

credentials = AppAssertionCredentials('https://www.googleapis.com/auth/bigquery')
return build('bigquery', 'v2', credentials=credentials)

Is there a workaround this problem or maybe anything else I need to check for? I would really like to avoid using any other authorization method than AppAssertionCredentials.

Community
  • 1
  • 1
witsol
  • 21
  • 1
  • why not go to the new developers console of Project_C and add 'Project_C@appspot.gserviceaccount.com' as a new member? – Sriram Aug 06 '15 at 12:53
  • Thanks but I've tried that - instead of adding the account it says "Inivitation sent. Waiting for response", such account probably does not exist. – witsol Aug 06 '15 at 13:53
  • http://stackoverflow.com/questions/24327924/cloud-storage-api-requests-from-gae-403-access-not-configured/24588927#24588927 As given here, try to turn off the API from console and enable again. Might help – Sriram Aug 07 '15 at 10:37
  • Thanks, I did face a similar problem with GCS API a while back and this solution did help then but it did not help with the BigQuery API. – witsol Aug 07 '15 at 11:59
  • Since you cloned it using the feature of the old console, maybe going to the "cloud integration"(bottom of the "application->settings") and try to click on it, it will recreate the project_C service account? – Patrice Aug 11 '15 at 19:57
  • @Patrice This was done a while back for this particular project. All of my projects are already available in the new console. But I can see that there is still a 'create' button enabled for Project_B - clicking on it shows an error 'An error occurred when creating the project. Please retry.' At this point I raised the original problem as a defect with GAE, https://code.google.com/p/googleappengine/issues/detail?id=12239 – witsol Aug 12 '15 at 12:31
  • @witsol that might be the best way to go indeed. – Patrice Aug 12 '15 at 17:06
  • It seems that the issue has resolved itself without further actions on our side (beside the fact of raising the issue with GAE) – witsol Aug 17 '15 at 12:31

0 Answers0