pull queues authorization from compute

2019-02-16 17:24发布

I'm trying to access a pull queue from google compute with the compute OAuth token using python

from oauth2client import gce
from apiclient.discovery import build
import httplib2

credentials = gce.AppAssertionCredentials('')
http = httplib2.Http()
http=credentials.authorize(http)
credentials.refresh(http)
service = build('taskqueue', 'v1beta2', http=http)
tq=service.taskqueues()
tq.get(project=MY_APPENGINE_PROJECT, taskqueue=PULL_QUEUE_NAME, getStats=True).execute()

I keep getting HttpError 403 "you are not allowed to make this api call"

please help, what configure have I missing?

thanks, Shay

1条回答
Melony?
2楼-- · 2019-02-16 18:13

UPDATE: Thanks to @Shay for asking this question, the issue he encountered is no longer an issue, as we have allowed aliases to work (when relevant) in the Task Queue API.

For posterity here is the original answer below:


Two of the most common mistakes I have seen are:

  1. Forgetting to include the s~ in your App Engine Project. For example, if your application ID is my-awesome-app, then you are calling

    tq.get(project='my-awesome-app', taskqueue=PULL_QUEUE_NAME...
    

    when you should be calling

    tq.get(project='s~my-awesome-app', taskqueue=PULL_QUEUE_NAME...
    
  2. Forgetting to add the Compute service account to the task queue ACL in queue.yaml. To do this, you need to get the service account associated with your project and add it to the acl:

    queue:
    - name: pull-queue
      mode: pull
      acl:
      - writer_email: 123845678986@project.gserviceaccount.com    # can do all
    

    and of course this would mean PULL_QUEUE_NAME = 'pull-queue' here. Also note, 123845678986@project.gserviceaccount.com should be replaced with the service account for your Compute Engine instance.

查看更多
登录 后发表回答