This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Troubleshooting - 403 Request had insufficient authentication scopes

Posted 2 weeks ago
abitrolly
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Let me start with the complain, which is when followed be the question "How to check ADC scopes (with `gcloud`)?".

The complain. Google Cloud approach to explaining ADC (Application Default Credentials) is awful, and here is why.

1. No diagrams that compare ADC to username/password and other more complicated things

2. Error messages are not actionable

An example.

 

#!/usr/bin/env python

# import transformers
import google.generativeai as palm

palm.configure()

for m in palm.list_models():
    print(m)

 

Save as `coder_palm_api.py` and run it.

 

python ./coder_palm_api.py

 

If you've installed Cloud SDK and `google-generativeai` Python lib, then after authenticating through ADC you should get this.

 

Traceback (most recent call last):
  File "/data/ai/./coder_palm_api.py", line 8, in <module>
    for m in palm.list_models():
  File "/data/ai/.venv/lib/python3.12/site-packages/google/generativeai/models.py", line 190, in list_models
    for model in client.list_models(page_size=page_size, **request_options):
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/data/ai/.venv/lib/python3.12/site-packages/google/ai/generativelanguage_v1beta/services/model_service/client.py", line 902, in list_models
    response = rpc(
               ^^^^
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/gapic_v1/method.py", line 131, in __call__
    return wrapped_func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/retry/retry_unary.py", line 293, in retry_wrapped_func
    return retry_target(
           ^^^^^^^^^^^^^
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/retry/retry_unary.py", line 153, in retry_target
    _retry_error_helper(
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/retry/retry_base.py", line 212, in _retry_error_helper
    raise final_exc from source_exc
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/retry/retry_unary.py", line 144, in retry_target
    result = target()
             ^^^^^^^^
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/timeout.py", line 120, in func_with_timeout
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/data/ai/.venv/lib/python3.12/site-packages/google/api_core/grpc_helpers.py", line 78, in error_remapped_callable
    raise exceptions.from_grpc_error(exc) from exc
google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
domain: "googleapis.com"
metadata {
  key: "service"
  value: "generativelanguage.googleapis.com"
}
metadata {
  key: "method"
  value: "google.ai.generativelanguage.v1beta.ModelService.ListModels"
}
]

 

Searching for "generativelanguage.googleapis.com" will give you https://console.cloud.google.com/apis/library/generativelanguage.googleapis.com page which is a dead end, because there is no information about the scopes needed and no information about your attempt to use the service which is just failed.

Searching for "google.ai.generativelanguage.v1beta.ModelService.ListModels" gives a 3rd of 5th link to https://ai.google.dev/api/rest/v1beta/models/list (YMMV) which you may recognize as useful, because you are a seasoned developer and know what to look for. Otherwise you will get similar links to this forum.

https://www.googlecloudcommunity.com/gc/AI-ML/Trying-to-use-gemini-using-google-generativeai-but-its...
https://www.googlecloudcommunity.com/gc/AI-ML/Trying-to-use-gemini-using-google-generativeai-but-its...

And to Python lib tracker.

https://github.com/google-gemini/generative-ai-python/issues/8

Inspecting the API page gives you the (supposedly) right answer.

The Python lib issue also mentions https://www.googleapis.com/auth/cloud-platform and a way to set these scopes. Posts on this forum were not really helpful. I already know that I need to check my credentials and scopes.

The problem is - Google provides no way check ADC auth scopes in 2024  -  you can spend few days like me, or just succumb to it.

Google also doesn't provide any visual way to navigate occasional users like me (and @Tech2hard who've asked the same question here before) over its vast authentication/authorization landscape with obligatory pointer "You are HERE".  Do I use ADC? Does ADC use service account? Or project account? Or is it service account under project account? Or is it some other "workforce project account"? Or just my login account? Or is it some specific token under one of these accounts from many?

How am I supposed to care about my application security if the whole attack surface area for stealing auth tokens is so huge and covered in a dense fog. Even Gemini LLM doesn't know what is going on. All smart guys are already employed by Google, and they are not helping, so how can I compete with my small brain?

Whatever, the complain is over. There is a ton of info about what should be improved on the Google side, and it is not my job to tell people what to do.

So, the question:

How to troubleshoot "403 Request had insufficient authentication scopes" error, starting from checking which authentication method is used, which are scopes are set for it, and which scopes are insufficient?

2 1 75
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @abitrolly,

Welcome to the Google Cloud Community!

I understand that navigating GCP and its various authentication methods can be frustrating and overwhelming for the average user.

Please take a moment to review the documentation page - Authentication methods at Google. It covers pretty much everything you need to know about the different authentication methods available in GCP (OAuth, Workload Identity Federation, ADC, etc.), diagrams and guidance for your specific scenario, as well as comparisons between these methods.

@abitrolly wrote:

How to troubleshoot "403 Request had insufficient authentication scopes" error, starting from checking which authentication method is used, which are scopes are set for it, and which scopes are insufficient?

Based from the error you received:

PermissionDenied: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
domain: "googleapis.com"
metadata {
  key: "service"
  value: "generativelanguage.googleapis.com"
}

There are alot of possible issues that may cause this, kindly refer to this StackOverflow thread - Google generative api with palm: 403 Request had insufficient authentication scopes. [reason: "ACCES....

Lastly, a tip that I can give is to bookmark the documentation page of the specific resource in GCP that you frequently use and do a quick scan, you should find all the necessary details regarding installation, common issues, known issues, and other features that you might otherwise miss.

0 Likes
Top Solution Authors
View all