Google Application Default Credentials - "Insufficient Permission" in development & "Bad Request" in production

Question

I'm using Google Application Default Credentials to fetch the list of Labels using Gmail API.

While running the application locally using gcloud preview app run command, I'm getting HttpError: <HttpError 403 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Insufficient Permission">

Then I deployed the application and tried to access. But I got HttpError: <HttpError 400 when requesting https://www.googleapis.com/gmail/v1/users/user%40domain.com/labels?alt=json returned "Bad Request">

I have correct configuration in gcloud config list:

account = my_email@domain.com (Appengine Application Owener & Domain Admin)
disable_usage_reporting = False
project = <appengine_project_id>

gcloud version details:

Google Cloud SDK 0.9.76
app 2015.08.27
app-engine-python 1.9.25
bq 2.0.18
bq-nix 2.0.18
core 2015.08.27
core-nix 2015.06.02
gcloud 2015.08.27
gsutil 4.14
gsutil-nix 4.12
preview 2015.08.27

Also I have added the service account's Client ID & Gmail Scope: https://www.googleapis.com/auth/gmail.readonly in Google Apps admin CPanel and Gmail API enabled in Appengine Console.

Here is the Code:

from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials

class Connection:
    def __init__(cls):
        cls.credentials = GoogleCredentials.get_application_default()

    def fetch_labels(cls):
        service = build('gmail', 'v1', credentials=cls.credentials)

        logging.info(service)

        results = service.users().labels().list(userId='user@domain.com').execute()
        labels = results.get('labels', [])

        if not labels:
            logging.info('No labels found.')
        else:
            logging.info('Labels:')
            for label in labels:
                logging.info(label['name'])
        pass


class Handler(webapp2.RequestHandler):
    def get(self):
        con = Connection()
        con.fetch_labels()

Create a service account and download the JSON key. Put it in /home/{username}/.config/gcloud/application_default_credentials.json. Then try again from the devserver after restarting it. I think the deployed application error is different. — ernestoalejo, Sep 08 '15 at 14:12
@ernestoalejo I will try that. If it works, It will only fix this issue in local environment. Production application will have the error :( — Nijin Narayanan, Sep 08 '15 at 17:54
Yes, it's only to fix the devserver. In production is it possible that Google Apps is not correctly configured like this answer says? http://stackoverflow.com/a/29328258/478440 — ernestoalejo, Sep 08 '15 at 18:39

score 1 · Accepted Answer · answered Sep 08 '15 at 22:00

1

I am not 100% certain on this, but I do not think that Application Default Credentials supports domain-wide delegation of authority. You will still need to use Service Account Credentials with the sub argument:

credentials = SignedJwtAssertionCredentials(
    service_account_email, service_account_key,
    scope='...', sub=user_email)

answered Sep 08 '15 at 22:00

Jon Wayne Parrott

1,341
10
18

You are right. ACD won't support domain wide delegation. – Nijin Narayanan Sep 12 '15 at 14:58

Google Application Default Credentials - "Insufficient Permission" in development & "Bad Request" in production

1 Answers1