jemc
commented
4 months ago Would a pull request be welcome, to add an option to disable/remove the datastore dependency?
Any specific guidance on the approach you'd want such a PR to take?
Open davidwtbuxton opened 7 months ago
jemc
commented
4 months ago Would a pull request be welcome, to add an option to disable/remove the datastore dependency?
Any specific guidance on the approach you'd want such a PR to take?
davidwtbuxton
commented
4 months ago Hi @jemc thanks for pushing on this issue. I had started on fixing this a while back, will try and get it finished now, but if I run out of time may ask for your help.
Thanks,
David
qbdumont
commented
4 days ago @jemc @davidwtbuxton Did you ever make progress disabling or removing the datastore dependencies?
If you deploy a basic scaffold App Engine app, on startup it always attempts to connect to Cloud Datastore using the default service account credentials. This happens even if nothing in the app uses Cloud Datastore.
On a new App Engine project, this causes a 500 error. In the application log, you can see a message
google.api_core.exceptions.PermissionDenied: 403 Missing or insufficient permissionsthat is emitted as part of the NDB datastore library.A quick fix is to grant the default App Engine service account the required permissions.
The default App Engine service account normally gets the editor role, but this can be changed per-organization. If the GCP organization changes the default role, or removes all permissions for the service account by default, then your scaffold app can fail.
https://cloud.google.com/appengine/docs/standard/configure-service-accounts#default_service_account
The scaffold connects to the datastore in order to set/get a secret that is used by Flask for signing cookies and stuff. If the app doesn't need to do that, then we should make it so the app doesn't require access to the datastore , and avoid this error.
https://flask.palletsprojects.com/en/3.0.x/config/#SECRET_KEY