Permission denied while getting drive credentials: ADC with impersonation

[adamcunnington-mlg]

I consider myself pretty familiar with the various google auth flows available via the python SDK - and how this interacts with gcloud-generated credentials.

We are using the bq SDK in the typical way; client = bigquery.Client() and we make use of ADC so our code is interoperable between dev and prod. Our code interacts with external tables that are sourced from sheets on google drive. We know that we need to provide the necessary scopes (and of course, permission to the underlying sheets).

The following works fine for a user identity with the necessary permissions:
gcloud auth application-default login --scopes=https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/cloud-platform

However, the following does not:
gcloud auth application-default login --scopes=https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/cloud-platform --impersonate-service-account=hand-of-god@mlg-apollo-data-prod.iam.gserviceaccount.com

We receive google.api_core.exceptions.Forbidden: 403 Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials.

I can replicate the same issue with my user credential if 1 of the following 2 things are true:

1. I don't pass google drive scopes.
2. I don't have access to the underlying file.

The service account that I am impersonating definitely has access to the file and I can see the BigQuery job failure with non-descript error message (a feature request has been raised for this with the BigQuery REST API team). My suspicion is that when impersonating a service account, the scopes (that are presumably buried in the credential) are not passed through / correctly read by the SDK (WHEN the ADC was generated using SA impersonation only). Maybe a similar issue is happening with my above note when the project cannot be inferred from the environment.

See below screenshot proof of correct permissions being in place:

Very grateful for some direction here...

[adamcunnington-mlg]

For the next poor soul that encounters this, I have concluded that indeed, the scopes are ignored by the python SDK (might not be isolated to just here) relating to ADC credentials generated using service account impersonation.

Interestingly, the same issue does NOT happen when using googleapiclient (google-python-api-client) so I think that library does something smarter than google-cloud-core does.

This can be worked around in various ways by explicitly setting the project and scopes within the code but this makes for a brittle implementation that is not interoperable with different credential types and environments.

I found the best way to workaround this is by passing the lesser known client_options object (https://googleapis.dev/python/google-api-core/latest/client_options.html#google.api_core.client_options.ClientOptions) which supports explicit scopes

An alternative is to create an ADC object explicitly with scopes; e.g. google.auth.default(scopes=...)

[adamcunnington-mlg]

I've raised a case with Google Cloud support to confirm this bug

[tswast]

Thanks for raising this issue. I see you have already discovered the client_options and credentials via google.auth.default workarounds.

Some related code for further investigation. We set default scopes here:

https://github.com/googleapis/python-bigquery/blob/40e4da78bb690ff4c94832321377bb1590e2eeaf/google/cloud/bigquery/client.py#L210-L213

These scopes are used here:

https://github.com/googleapis/python-cloud-core/blob/8ca0faa17e87aa842d154b965be5ef39f1f7490d/google/cloud/client/__init__.py#L169

Potentially there's a difference between an impersonated service account and user credentials, where the former can be scoped down? I recall that user credentials aren't really affected by the scopes parameter after they're created.

[tswast]

Looking at https://github.com/googleapis/google-auth-library-python/blob/a83af399fe98764ee851997bf3078ec45a9b51c9/google/auth/credentials.py#L327 I think perhaps we should be setting default_scopes here https://github.com/googleapis/python-cloud-core/blob/8ca0faa17e87aa842d154b965be5ef39f1f7490d/google/cloud/client/__init__.py#L181 instead of scopes.

[tswast]

On second thought, this may not be a bug. I think no drive scope is the correct default, so clients that need these scopes should be passing it in via the client_options.

Perhaps we reclassify this as a documentation issue to update the code sample at https://cloud.google.com/bigquery/docs/external-data-drive#python now that client_options are available?

[adamcunnington-mlg]

Thanks so much for looking at this but I don't quite agree its a docs issue. The key point here is that the scopes are correctly extracted from ADC when ADC is of type authorized user but NOT when they are of type impersonated_service_account. I think this requires a fix in google.auth.

[tswast]

The key point here is that the scopes are correctly extracted from ADC when ADC is of type authorized user but NOT when they are of type impersonated_service_account

I suppose there's a subtlety here. We don't want to downscope credentials that already have cloud-platform or bigquery scopes. The only reason we're not doing that for authorized user is that downscoping isn't supported in google-auth. If it were supported, we wouldn't want to be downscoping in that case, either.

[adamcunnington-mlg]

But as far as google.auth is concerned, an authorised user or an authorised user that is impersonating a service account, is the same category of thing. It's still an authorised user credential, and when I'm generating ADC, I'm providing explicit scopes, which in this case are wider than what is coming from python-bigquery (cloud platform PLUS drive scopes) but bigquery is irrelevant in the discussion here - this issue should probably be ported to google.auth repo. It's not BQ specific at all.

[rafael-guevara-ONE]

Hello Dear I have the same issue, when I try to execute the query to consult table with external data source in my case google sheet, so finally appear the message error "Access Denied: BigQuery BigQuery: Permission denied while getting Drive credentials."

I share the Google sheet with the service account, but issue was not resolved yet

Somebody knows how to fix this issue?

[krampepampe]

Hi @rafael-guevara-ONE, I have exactly the same issue.

[adamcunnington-mlg]

@rafael-guevara-ONE @krampepampe I doubt you are having the same issue.

How are you authenticating? You are probably missing the google drive scope. That is not what this issue is about.

[rafael-guevara-ONE]

Hello @adamcunnington-mlg I really appreciate your answer thanks

I added the scopes in function in my case in I am using dialog flow == cloud function with node js and now it is working:

@krampepampe dear try to add the scope into your BigQuery service:, check the below links:
https://stackoverflow.com/questions/68064592/bigquery-permission-denied-while-getting-drive-credentials-unable-to-resolve
https://stackoverflow.com/questions/60903258/bigquery-nodejs-library-error-while-accessing-external-source-in-google-drive