Home > Mobile >  gcloud auth print-access-token gives permission denied error
gcloud auth print-access-token gives permission denied error

Time:07-19

I have a shell script trying to download some secrets from secret manager inside dataproc cluster.

    GetAuthJson() {
  authjson=$(curl "https://secretmanager.googleapis.com/v1/projects/$PROJECT_ID/secrets/$AUTH_JSON/versions/1:access" \
    --request "GET" \
    --header "authorization: Bearer $(gcloud auth print-access-token)" \
    --header "content-type: application/json")
  if [ $? -ne 0 ]; then
    Error "Unable to extract the $PIPENAME Auth json details from GCP Secret Manager"
  fi

  echo $authjson | grep -o '"data": "[^"]*' | grep -o '[^"]*$' >$BASE_DIR/encodedauth.json
  if [ $? -ne 0 ]; then
    Error "Unable to save the $PIPENAME auth.json server secret to auth.json"
  fi

  auth_json=$(base64 -d $BASE_DIR/encodedauth.json)
  base64 -d $BASE_DIR/encodedauth.json >/etc/secrets/auth.json

  if [ $? -ne 0 ]; then
    Error "Unable to decode the $PIPENAME auth.json server secret"
  fi
  Log "auth.json secret extraction done"
}

when i run this curl it generates an error

authjson='{
  "error": {
    "code": 403,
    "message": "Permission '\''secretmanager.versions.access'\'' denied for resource '\''projects/**-**-dev/secrets/**_AUTH_JSON/versions/1'\'' (or it may not exist).",
    "status": "PERMISSION_DENIED"
  }
}'

the same curl with same service account is working in local meachine. and more over if i copy the CURL from local and run it in dataproc cluster it works as well. But the curl generated from dataproc fails in local .

whats more weird is if i run gcloud auth print-access-token separately and paste it in curl command it works in both meachine.

so my question is why gcloud auth print-access-token generated as part of curl in dataproc cluster is not working ?

CodePudding user response:

It would be useful if you could capture the value of the curl command or, at least the value of gcloud auth print-access-token that's failing in the script.

I suspect (I'm unfamiliar with Dataproc) that the Dataproc instance does not have gcloud installed and the gcloud auth print-access-token is failing.

If the instance does have gcloud installed, since it's running then it must have a Service Account and so should permit authenticating. There may (!?) be a more nuanced issue with getting an access token as a Dataproc instance, unclear.

Please consider using either gcloud secrets versions access directly or one of Google's client libraries to access the secret.

You're making the process more complex than it need be by curl'ing the endpoint; you're having to use gcloud anyway to get the auth token.

CodePudding user response:

The issue was i ran the script as sudo user. When i ran normally it worked.

  • Related