Open birb57 opened 5 months ago
Hey there... I understand you are trying to set up local credentials for a service account. I'd recommend you to use ADC with your SA credentials.
gcloud auth application-default login --impersonate-service-account <SA-login>
Have a look for more: https://cloud.google.com/docs/authentication/provide-credentials-adc#sa-impersonation
Also, make sure your SA have all the permissions necessary to rescue a VM.
Let me know if that works for you
Hi
I can not as I am login via cyberark platform
I can only use service account file
Best regards
@runxinw I remember you worked on:
Maybe we can parse the $GOOGLE_APPLICATION_CREDENTIALS (credentials json file) there ?
gce-rescue uses the google-auth library to perform authentication and authorization, the issue is not specific to its code.
I assume you are using the service account key for this case, otherwise, please review this doc to create a proper SA key file.
Based on the traceback -- 'invalid_scope: Invalid OAuth scope or ID token audience provided.'
, the issue indicates the SA does not have right scope. Have you tried following this doc to set the right scope for your GCE instance for the SA ?
If it is still not working, please give us a bit more details how you generate the credential json and how you set the scope.
Was this resolved since I am getting the same error. I tried running gcloud auth login command before running the gce-rescue command. Although it logged in successfully, but I am still getting the same error as above when running gce-rescue.
@Rishi247 are you also using exported SA key ? Are you able to able to run other gcloud commands with this SA key (ie: stop/start VM, etc) ? If possible, please provide here the logs
Also check the last comment setting up the correct scope for your SA.
No, i am using my IAM account for this(trying it locally)
Regards Rishi Pariyani
On Tue, 4 Jun 2024 at 5:11 PM, Halley @.***> wrote:
@Rishi247 https://github.com/Rishi247 are you also using exported SA key ? Are you able to able to run other gcloud commands with this SA key (ie: stop/start VM, etc) ? If possible, please provide here the logs
Also check the last comment https://github.com/GoogleCloudPlatform/gce-rescue/issues/42#issuecomment-2098465865 setting up the correct scope for your SA.
— Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/gce-rescue/issues/42#issuecomment-2147318650, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHWY7XA5D5M2FKL6BQCJO3ZFWRWDAVCNFSM6AAAAABGGIKIQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGMYTQNRVGA . You are receiving this because you were mentioned.Message ID: @.***>
In this case, I assume you configured your account:
$ gcloud init
and later updated the applications login:
$ gcloud auth application-default login
Can you please run the GCE Rescue with the --debug options and share the logs ? please make sure to redact any personal information from the logs before submitting
Hi Halley
I am unable to run the binary getting the below error -
Command - gce-rescue -p
On Tue, Jun 4, 2024 at 5:32 PM Halley @.***> wrote:
In this case, I assume you configured your account: $ gcloud init
and later updated the applications login: $ gcloud auth application-default login
Can you please run the GCE Rescue with the --debug options and share the logs ? please make sure to redact any personal information from the logs before submitting
— Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/gce-rescue/issues/42#issuecomment-2147361568, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHWY7SINKSO46DKHRMJ6PLZFWUGBAVCNFSM6AAAAABGGIKIQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGM3DCNJWHA . You are receiving this because you were mentioned.Message ID: @.***>
-- Regards Rishi Pariyani
Hi
Can not use adc authentication via service account for gce-rescue
Can you please advise ?
[gce-rescue]# [root@gce-rescue]# export GOOGLE_APPLICATION_CREDENTIALS="/root/gce-rescue/auth-simu.json" [root@gce-rescue]# /usr/bin/gce-rescue -p dbg-cs-sz-32064e0b -z europe-west3-a -n gcsb84rhel098 Traceback (most recent call last): File "/usr/bin/gce-rescue", line 33, in
sys.exit(load_entry_point('gce-rescue==0.4b0', 'console_scripts', 'gce-rescue')())
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/bin/rescue.py", line 44, in main
vm = Instance(test_mode=False, parse_kwargs)
File "", line 12, in init
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/gce.py", line 112, in post_init
check = Validations(
File "", line 7, in init__
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/tasks/pre_validations.py", line 48, in post_init__
authorize_check(project = self.project)
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/tasks/validations/authorization.py", line 43, in authorize_check
result = service.projects().testIamPermissions(
File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, *kwargs)
File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/http.py", line 923, in execute
resp, content = _retry_request(
File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/http.py", line 191, in _retry_request
resp, content = http.request(uri, method, args, kwargs)
File "/usr/lib/python3.9/site-packages/google_auth_httplib2-0.2.0-py3.9.egg/google_auth_httplib2.py", line 209, in request
self.credentials.before_request(self._request, method, uri, request_headers)
File "/usr/local/lib/python3.9/site-packages/google/auth/credentials.py", line 228, in before_request
self._blocking_refresh(request)
File "/usr/local/lib/python3.9/site-packages/google/auth/credentials.py", line 191, in _blocking_refresh
self.refresh(request)
File "/usr/local/lib/python3.9/site-packages/google/oauth2/service_account.py", line 441, in refresh
accesstoken, expiry, = _client.jwt_grant(
File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 308, in jwt_grant
response_data = _token_endpoint_request(
File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 279, in _token_endpoint_request
_handle_error_response(response_data, retryable_error)
File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 72, in _handle_error_response
raise exceptions.RefreshError(
google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})
[root@ gce-rescue]#
Thanks for your support