search

openforis / sepal

Geographical Data Processing in the Cloud
https://sepal.io/
MIT License
205 stars 46 forks source link

ACCESS_TOKEN_SCOPE_INSUFFICIENT when using cloudresourcemanager from Python #192

Open 12rambau opened 2 years ago

12rambau commented 2 years ago

following what you did in https://github.com/openforis/sepal/blob/5e80d0ccde92c056b1f886c5d545f22cd8f11430/modules/gee/src/jobs/ee/asset/list.js#L70 I wanted to access users cloud buckets as well from the AssetSelector of sepal-ui.

But When I try to run the following: 

import ee 
from apiclient import discovery
from sepal_ui.scripts import utils 

utils.init_ee()

SERVICE = discovery.build(
    serviceName="cloudresourcemanager",
    version="v1",
    cache_discovery=False,
    credentials=ee.data._credentials,
)

projects = (
    SERVICE.projects()
    .list(
        pageSize=1000,
        fields="nextPageToken, projects(id, name)"
    )
    .execute()
    .get("projects", [])
)

which is creating the following API request: https://cloudresourcemanager.googleapis.com/v1/projects?pageSize=1000&fields=nextPageToken%2C+projects%28id%2C+name%29&alt=json

I get this response from Google server: 

{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CREDENTIALS_MISSING",
        "domain": "googleapis.com",
        "metadata": {
          "method": "google.cloudresourcemanager.v1.Projects.ListProjects",
          "service": "cloudresourcemanager.googleapis.com"
        }
      }
    ]
  }
}

It seems that my authentication is not sufficient, how do you make it work in the main framework ?

cdanielw commented 2 years ago

We need an additional OAuth scope to list user projects. The problem is that users will have to reconnect their Google account to get that additional scope. Maybe we could have a check when loading the page, asking Google for available scopes, comparing these to a list of scopes we require, and prompt the user to reconnect if it doesn't match.

12rambau commented 2 years ago

ok I thought that was already working in the current build.