Access error from client.py in section "Deploying a service to the cloud cluster"
swgu931 opened this issue · 4 comments
Dear all,
I did finish google cloud robotics platform as long as I understood as of now except two main sections "Deploying a service to the cloud cluster" and "Creating a declarative API"
First of all, I tried the first but I met the error when section "Deploying a service to the cloud cluster" in the last.
~/hello-service/client# python3
Python 3.8.4rc1 (default, Jul 1 2020, 15:31:45)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import google.auth
>>> import google.auth.transport.requests as requests
>>> credentials, project_id = google.auth.default()
>>> print (credentials)
<google.oauth2.service_account.Credentials object at 0x7f9b3895af10>
>>> print (project_id)
lg-cloud-robot-20200908
>>> authed_session = requests.AuthorizedSession(credentials)
>>> print(authed_session)
<google.auth.transport.requests.AuthorizedSession object at 0x7f9b38a06d60>
>>> response = authed_session.request("GET", "https://www.endpoints.xxxxxxxxxx.cloud.goog/apis/hello-server")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.8/dist-packages/google/auth/transport/requests.py", line 471, in request
self.credentials.before_request(auth_request, method, url, request_headers)
File "/usr/local/lib/python3.8/dist-packages/google/auth/credentials.py", line 130, in before_request
self.refresh(request)
File "/usr/local/lib/python3.8/dist-packages/google/oauth2/service_account.py", line 408, in refresh
access_token, expiry, _ = _client.jwt_grant(
File "/usr/local/lib/python3.8/dist-packages/google/oauth2/_client.py", line 191, in jwt_grant
response_data = _token_endpoint_request(request, token_uri, body)
File "/usr/local/lib/python3.8/dist-packages/google/oauth2/_client.py", line 163, in _token_endpoint_request
_handle_error_response(response_data)
File "/usr/local/lib/python3.8/dist-packages/google/oauth2/_client.py", line 58, in _handle_error_response
raise exceptions.RefreshError(error_details, response_data)
google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})
~/hello-service/client#
I appreciate someone help me as before.
Thanks & regards
Sean
Hi, did you run:
gcloud auth application-default login
Could you please share the output of gcloud info via https://gist.github.com/ ?
Thanks for question and
Yes. I did as i remembered because the other tests were ok then.
Even if not the case, could AuthorizedSesion be successfully done ?
I just tested the whole tutorial and also send a small change to update a few things. Good news is that it worked for me.
Let me ask a few more questions to solve it for you too:
- is project id
lg-cloud-robot-20200908the same GCP project as you use in www.endpoints.xxxxxxxxxx.cloud.goog (no worries, it is not accessible from the outside due to the auth required). - When run run
gcloud auth application-default logindid you use the same user that also registered the cloud project? - could take a look at the nginx logs:
kubectl logs -f -l k8s-app=nginx-ingress-controller - same for the oauth2-proxy
kubectl logs -f -l app=oauth2-proxy
Thanks Stefan Sauer,
I did try again all the step of the tutorial updated. it's ok and logs you mentioned looked ok in my eyes.
Thanks very much again.