0

We are using a Jenkins project to run "gcloud logging read ..." from a shell to get logs from a gcloud container and we occasionally see a permission error in the script:

ERROR: (gcloud.logging.read) PERMISSION_DENIED: Request had insufficient authentication scopes.

Our Jenkins servers runs as a Google Kubernetes Engine.

I did not find anything specific for authentication using Kubernetes Engine and I assumed that it is like a Google Cloud for which https://cloud.google.com/storage/docs/authentication#libauth says that, for authentication,

the environment already provides a service account's authentication information, so no further setup is required

Maybe my assumption is wrong? I assumed it because it often works.

When it works, gcloud info returns the expected user while when it does not work it reports the default service account.

Does anybody know why the user changes between project's builds and how it could be avoided?

Other observation:

  • Modifying the shell script for the project in Jenkins seems to fix the problem for a while.

Thanks!

rod
  • 11
  • 2
  • Hello, welcome to Serverfault. Please update your question with information like how the cluster was set up and how is Jenkins running inside of it. How many node pools are you having in this cluster? Were you configuring any access scopes? – Dawid Kruk Mar 13 '20 at 12:51
  • Hi Dawid Kruk, thanks for your comment. Research for responses to it lead us to try another approach. We are currently testing it and I will post an update if it fixes the problem. – rod Mar 17 '20 at 21:02

1 Answers1

1

So the problem here seems to be that the answer is "yes" to my question

Maybe my assumption is wrong?

It seems that the project worked most of the times because it was mostly run on an agent after it ran another project (pipeline in this case) that was doing the authentication.

The fix was to also do the authentication stuff in my project and since a week it always worked.

rod
  • 11
  • 2