search

Quentin123345 / google-cloud-sdk

Automatically exported from code.google.com/p/google-cloud-sdk
0 stars 0 forks source link

set oauth scopes for managed VM #195

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
I'm not sure if this is a gcloud or an App Engine bug, probably both.

Currently Managed VMs are made with default GCE oauth scopes (I think), with no 
option to modify. This'd be very useful (or essential rather) for use with 
application default credentials.

https://developers.google.com/identity/protocols/application-default-credentials

Apparently it's is a secret beta feature, and has been for months, if this 
person on github is to be believed.

https://github.com/GoogleCloudPlatform/gcloud-node/issues/513#issuecomment-97501
555

Original issue reported on code.google.com by pdknsk on 8 Aug 2015 at 5:31

GoogleCodeExporter commented 8 years ago 
Issue 194 has been merged into this issue.

Original comment by z...@google.com on 10 Aug 2015 at 4:48

GoogleCodeExporter commented 8 years ago 
You can use the setting 'service_account_scopes' in your 'app.yaml' (must be 
nested under 'beta_settings') to adjust the scope of the MVM credentials: see 
https://github.com/GoogleCloudPlatform/nodejs-getting-started/blob/7ceb94715cbda
a4a187a035745385685336d2e43/app.yaml#L31-L34 for an example.

As you pointed out, this *is* a beta feature. As such, please don't rely on it 
for more than a temporary workaround; it could go away at any time. There's a 
good possibility that when Managed VMs are stable, we'll have a similar 
configuration tweak available, but there's also a possibility that we won't.

Soon, we plan to widen the default scopes that the MVM has; at that point, this 
shouldn't be an issue (because you won't have to change the scopes from the 
default).

Original comment by z...@google.com on 10 Aug 2015 at 6:08

GoogleCodeExporter commented 8 years ago 
Dear Google Team,

https://github.com/GoogleCloudPlatform/gcloud-node/issues/783#issuecomment-12951
6949

The above can also provide some more details and a temporary fix to the 
"beta_settings" in app.yaml.

I was forced to use my Managed VM as a service account auth with the other 
Google cloud services such as the datastore.

I'm not sure how the impact of this auth route will have in the service time of 
the request during writes.

Thanks,
Camilo

Original comment by camilo.s...@citrix.com on 10 Aug 2015 at 7:04

GoogleCodeExporter commented 8 years ago 
I'm glad you were able to work around for now. The service account work-around 
should not have any effect on write times.

Original comment by z...@google.com on 10 Aug 2015 at 7:07

GoogleCodeExporter commented 8 years ago 
I noticed this.

> This instance has full API access to all Google Cloud services.

Original comment by pdknsk on 27 Sep 2015 at 10:24