google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})

[birb57]

Hi

Can not use adc authentication via service account for gce-rescue

Can you please advise ?

[gce-rescue]# [root@gce-rescue]# export GOOGLE_APPLICATION_CREDENTIALS="/root/gce-rescue/auth-simu.json" [root@gce-rescue]# /usr/bin/gce-rescue -p dbg-cs-sz-32064e0b -z europe-west3-a -n gcsb84rhel098 Traceback (most recent call last): File "/usr/bin/gce-rescue", line 33, in sys.exit(load_entry_point('gce-rescue==0.4b0', 'console_scripts', 'gce-rescue')()) File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/bin/rescue.py", line 44, in main vm = Instance(test_mode=False, parse_kwargs) File "", line 12, in init File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/gce.py", line 112, in post_init check = Validations( File "", line 7, in init__ File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/tasks/pre_validations.py", line 48, in post_init__ authorize_check(project = self.project) File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/tasks/validations/authorization.py", line 43, in authorize_check result = service.projects().testIamPermissions( File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/_helpers.py", line 130, in positional_wrapper return wrapped(*args, *kwargs) File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/http.py", line 923, in execute resp, content = _retry_request( File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/http.py", line 191, in _retry_request resp, content = http.request(uri, method, args, kwargs) File "/usr/lib/python3.9/site-packages/google_auth_httplib2-0.2.0-py3.9.egg/google_auth_httplib2.py", line 209, in request self.credentials.before_request(self._request, method, uri, request_headers) File "/usr/local/lib/python3.9/site-packages/google/auth/credentials.py", line 228, in before_request self._blocking_refresh(request) File "/usr/local/lib/python3.9/site-packages/google/auth/credentials.py", line 191, in _blocking_refresh self.refresh(request) File "/usr/local/lib/python3.9/site-packages/google/oauth2/service_account.py", line 441, in refresh accesstoken, expiry, = _client.jwt_grant( File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 308, in jwt_grant response_data = _token_endpoint_request( File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 279, in _token_endpoint_request _handle_error_response(response_data, retryable_error) File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 72, in _handle_error_response raise exceptions.RefreshError( google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'}) [root@ gce-rescue]#

Thanks for your support

[halleysouza]

Hey there... I understand you are trying to set up local credentials for a service account. I'd recommend you to use ADC with your SA credentials.

gcloud auth application-default login --impersonate-service-account <SA-login>

Have a look for more: https://cloud.google.com/docs/authentication/provide-credentials-adc#sa-impersonation

Also, make sure your SA have all the permissions necessary to rescue a VM.

Let me know if that works for you

[bskou57]

Hi

I can not as I am login via cyberark platform

I can only use service account file

Best regards

[halleysouza]

@runxinw I remember you worked on:

def api_service

Maybe we can parse the $GOOGLE_APPLICATION_CREDENTIALS (credentials json file) there ?

[runxinw]

gce-rescue uses the google-auth library to perform authentication and authorization, the issue is not specific to its code.

I assume you are using the service account key for this case, otherwise, please review this doc to create a proper SA key file.

Based on the traceback -- 'invalid_scope: Invalid OAuth scope or ID token audience provided.', the issue indicates the SA does not have right scope. Have you tried following this doc to set the right scope for your GCE instance for the SA ?

If it is still not working, please give us a bit more details how you generate the credential json and how you set the scope.

[Rishi247]

Was this resolved since I am getting the same error. I tried running gcloud auth login command before running the gce-rescue command. Although it logged in successfully, but I am still getting the same error as above when running gce-rescue.

[halleysouza]

@Rishi247 are you also using exported SA key ? Are you able to able to run other gcloud commands with this SA key (ie: stop/start VM, etc) ? If possible, please provide here the logs

Also check the last comment setting up the correct scope for your SA.

[Rishi247]

No, i am using my IAM account for this(trying it locally)

Regards Rishi Pariyani

On Tue, 4 Jun 2024 at 5:11 PM, Halley @.***> wrote:

@Rishi247 https://github.com/Rishi247 are you also using exported SA key ? Are you able to able to run other gcloud commands with this SA key (ie: stop/start VM, etc) ? If possible, please provide here the logs

Also check the last comment https://github.com/GoogleCloudPlatform/gce-rescue/issues/42#issuecomment-2098465865 setting up the correct scope for your SA.

— Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/gce-rescue/issues/42#issuecomment-2147318650, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHWY7XA5D5M2FKL6BQCJO3ZFWRWDAVCNFSM6AAAAABGGIKIQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGMYTQNRVGA . You are receiving this because you were mentioned.Message ID: @.***>

[halleysouza]

In this case, I assume you configured your account: $ gcloud init

and later updated the applications login: $ gcloud auth application-default login

Can you please run the GCE Rescue with the --debug options and share the logs ? please make sure to redact any personal information from the logs before submitting

[Rishi247]

Hi Halley

I am unable to run the binary getting the below error -

Command - gce-rescue -p -n -z -d Output - Traceback (most recent call last): File "/Users/testbook/anaconda3/bin/gce-rescue", line 33, in sys.exit(load_entry_point('gce-rescue==0.4b0', 'console_scripts', 'gce-rescue')()) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/bin/rescue.py", line 44, in main vm = Instance(test_mode=False, parse_kwargs) File "", line 12, in init File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/gce.py", line 112, in post_init check = Validations( File "", line 7, in init__ File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/tasks/pre_validations.py", line 48, in post_init__ authorize_check(project = self.project) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/tasks/validations/authorization.py", line 46, in authorize_check ).execute() File "/Users/testbook/anaconda3/lib/python3.10/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper return wrapped(*args, *kwargs) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/googleapiclient/http.py", line 923, in execute resp, content = _retry_request( File "/Users/testbook/anaconda3/lib/python3.10/site-packages/googleapiclient/http.py", line 191, in _retry_request resp, content = http.request(uri, method, args, kwargs) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google_auth_httplib2.py", line 209, in request self.credentials.before_request(self._request, method, uri, request_headers) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/auth/credentials.py", line 135, in before_request self.refresh(request) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/oauth2/credentials.py", line 335, in refresh ) = reauth.refresh_grant( File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/oauth2/reauth.py", line 351, in refresh_grant _client._handle_error_response(response_data, retryable_error) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/oauth2/_client.py", line 73, in _handle_error_response raise exceptions.RefreshError( google.auth.exceptions.RefreshError: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'}) Command - which python3.10 Output - /Users/testbook/anaconda3/bin/python3.10

On Tue, Jun 4, 2024 at 5:32 PM Halley @.***> wrote:

In this case, I assume you configured your account: $ gcloud init

and later updated the applications login: $ gcloud auth application-default login

Can you please run the GCE Rescue with the --debug options and share the logs ? please make sure to redact any personal information from the logs before submitting

— Reply to this email directly, view it on GitHub https://github.com/GoogleCloudPlatform/gce-rescue/issues/42#issuecomment-2147361568, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHWY7SINKSO46DKHRMJ6PLZFWUGBAVCNFSM6AAAAABGGIKIQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGM3DCNJWHA . You are receiving this because you were mentioned.Message ID: @.***>

-- Regards Rishi Pariyani