google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})

[birb57]

Hi

Can not use adc authentication via service account for gce-rescue

Can you please advise ?

[gce-rescue]#
[root@gce-rescue]# export GOOGLE_APPLICATION_CREDENTIALS="/root/gce-rescue/auth-simu.json"
[root@gce-rescue]# /usr/bin/gce-rescue -p dbg-cs-sz-32064e0b -z europe-west3-a -n gcsb84rhel098
Traceback (most recent call last):
File "/usr/bin/gce-rescue", line 33, in
sys.exit(load_entry_point('gce-rescue==0.4b0', 'console_scripts', 'gce-rescue')())
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/bin/rescue.py", line 44, in main
vm = Instance(test_mode=False, **parse_kwargs)
File "", line 12, in init
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/gce.py", line 112, in post_init
check = Validations(
File "", line 7, in init
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/tasks/pre_validations.py", line 48, in post_init
authorize_check(project = self.project)
File "/usr/lib/python3.9/site-packages/gce_rescue-0.4b0-py3.9.egg/gce_rescue/tasks/validations/authorization.py", line 43, in authorize_check
result = service.projects().testIamPermissions(
File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/http.py", line 923, in execute
resp, content = _retry_request(
File "/usr/lib/python3.9/site-packages/google_api_python_client-2.125.0-py3.9.egg/googleapiclient/http.py", line 191, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "/usr/lib/python3.9/site-packages/google_auth_httplib2-0.2.0-py3.9.egg/google_auth_httplib2.py", line 209, in request
self.credentials.before_request(self._request, method, uri, request_headers)
File "/usr/local/lib/python3.9/site-packages/google/auth/credentials.py", line 228, in before_request
self._blocking_refresh(request)
File "/usr/local/lib/python3.9/site-packages/google/auth/credentials.py", line 191, in _blocking_refresh
self.refresh(request)
File "/usr/local/lib/python3.9/site-packages/google/oauth2/service_account.py", line 441, in refresh
access_token, expiry, _ = _client.jwt_grant(
File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 308, in jwt_grant
response_data = _token_endpoint_request(
File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 279, in _token_endpoint_request
_handle_error_response(response_data, retryable_error)
File "/usr/local/lib/python3.9/site-packages/google/oauth2/_client.py", line 72, in _handle_error_response
raise exceptions.RefreshError(
google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})
[root@ gce-rescue]#

Thanks for your support

[halleysouza]

Hey there... I understand you are trying to set up local credentials for a service account.
I'd recommend you to use ADC with your SA credentials.

gcloud auth application-default login --impersonate-service-account <SA-login>

Have a look for more: https://cloud.google.com/docs/authentication/provide-credentials-adc#sa-impersonation

Also, make sure your SA have all the permissions necessary to rescue a VM.

Let me know if that works for you

[bskou57]

Hi

I can not as I am login via cyberark platform

I can only use service account file

Best regards

[halleysouza]

@runxinw I remember you worked on:

def api_service

Maybe we can parse the $GOOGLE_APPLICATION_CREDENTIALS (credentials json file) there ?

[runxinw]

gce-rescue uses the google-auth library to perform authentication and authorization, the issue is not specific to its code.

I assume you are using the service account key for this case, otherwise, please review this doc to create a proper SA key file.

Based on the traceback -- 'invalid_scope: Invalid OAuth scope or ID token audience provided.', the issue indicates the SA does not have right scope. Have you tried following this doc to set the right scope for your GCE instance for the SA ?

If it is still not working, please give us a bit more details how you generate the credential json and how you set the scope.

[Rishi247]

Was this resolved since I am getting the same error. I tried running gcloud auth login command before running the gce-rescue command. Although it logged in successfully, but I am still getting the same error as above when running gce-rescue.

[halleysouza]

@Rishi247 are you also using exported SA key ? Are you able to able to run other gcloud commands with this SA key (ie: stop/start VM, etc) ? If possible, please provide here the logs

Also check the last comment setting up the correct scope for your SA.

[Rishi247]

No, i am using my IAM account for this(trying it locally) Regards Rishi Pariyani

…

On Tue, 4 Jun 2024 at 5:11 PM, Halley ***@***.***> wrote: @Rishi247 <https://github.com/Rishi247> are you also using exported SA key ? Are you able to able to run other gcloud commands with this SA key (ie: stop/start VM, etc) ? If possible, please provide here the logs Also check the last comment <#42 (comment)> setting up the correct scope for your SA. — Reply to this email directly, view it on GitHub <#42 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHHWY7XA5D5M2FKL6BQCJO3ZFWRWDAVCNFSM6AAAAABGGIKIQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGMYTQNRVGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[halleysouza]

In this case, I assume you configured your account:
$ gcloud init

and later updated the applications login:
$ gcloud auth application-default login

Can you please run the GCE Rescue with the --debug options and share the logs ? ** please make sure to redact any personal information from the logs before submitting **

[Rishi247]

Hi Halley I am unable to run the binary getting the below error - *Command* - gce-rescue -p <project-name> -n <instance-name> -z <zone-id> -d *Output -* Traceback (most recent call last): File "/Users/testbook/anaconda3/bin/gce-rescue", line 33, in <module> sys.exit(load_entry_point('gce-rescue==0.4b0', 'console_scripts', 'gce-rescue')()) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/bin/rescue.py", line 44, in main vm = Instance(test_mode=False, **parse_kwargs) File "<string>", line 12, in __init__ File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/gce.py", line 112, in __post_init__ check = Validations( File "<string>", line 7, in __init__ File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/tasks/pre_validations.py", line 48, in __post_init__ authorize_check(project = self.project) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/gce_rescue-0.4b0-py3.10.egg/gce_rescue/tasks/validations/authorization.py", line 46, in authorize_check ).execute() File "/Users/testbook/anaconda3/lib/python3.10/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper return wrapped(*args, **kwargs) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/googleapiclient/http.py", line 923, in execute resp, content = _retry_request( File "/Users/testbook/anaconda3/lib/python3.10/site-packages/googleapiclient/http.py", line 191, in _retry_request resp, content = http.request(uri, method, *args, **kwargs) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google_auth_httplib2.py", line 209, in request self.credentials.before_request(self._request, method, uri, request_headers) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/auth/credentials.py", line 135, in before_request self.refresh(request) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/oauth2/credentials.py", line 335, in refresh ) = reauth.refresh_grant( File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/oauth2/reauth.py", line 351, in refresh_grant _client._handle_error_response(response_data, retryable_error) File "/Users/testbook/anaconda3/lib/python3.10/site-packages/google/oauth2/_client.py", line 73, in _handle_error_response raise exceptions.RefreshError( google.auth.exceptions.RefreshError: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'}) *Command - * which python3.10 *Output - * /Users/testbook/anaconda3/bin/python3.10

…

On Tue, Jun 4, 2024 at 5:32 PM Halley ***@***.***> wrote: In this case, I assume you configured your account: $ gcloud init and later updated the applications login: $ gcloud auth application-default login Can you please run the GCE Rescue with the --debug options and share the logs ? ** please make sure to redact any personal information from the logs before submitting ** — Reply to this email directly, view it on GitHub <#42 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHHWY7SINKSO46DKHRMJ6PLZFWUGBAVCNFSM6AAAAABGGIKIQWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXGM3DCNJWHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Regards Rishi Pariyani