Is our authentication broken? #1484
Description
Blog post has a pretty sad story, which isn't at all what is supposed to happen...
The blog is a fairly simplistic use case for datastore, so I decided to move forward with porting the handful of queries over from the ORM to the GQL interface. As I began testing these changes, I ran into authentication errors when trying to query datastore. There are three authentication methods supported by the gcloud library: Explicit credentials, credentials from a file, or a service account. Service accounts are a really nice feature of Google Cloud, allowing you to automatically provide access to other Google services from Compute Engine instances running in your project. I found that my development instance didn't have the proper scopes enabled for datastore access when it was created, so I had to delete the instance (keeping the disks) and re-create it with the service auth checkbox checked. After spending a few hours debugging an unrelated issue where I had broken the boot scripts on my dev instance, I tried to access datastore with the service account again and still got an unauthorized error. I did a fair bit more debugging, watching HTTP requests fly back and forth, ensuring that the gcloud library was getting an OAuth token using the service account and passing that in a header to the datastore service, but never managed to get this to work. I suspect there's something broken in either the gcloud library or the public datastore service preventing service accounts from authenticating properly. I generated a new service account in the Cloud Console, exported it as a json file, and passed that to the gcloud.datastore.Client.from_service_account_json classmethod to authenticate my app instead. This worked on the first try. Unfortunately, now I have a file full of secrets to worry about...
Are we not properly detecting Datastore permissions ? Maybe he was missing the project ID (dataset ID) because we don't auto-detect that?
/cc @JeremyGrosser