App Engine GCE access using Google APIs Client Library - *different project*

Question

I have a system that has been in place for a little while. GAE (python) accessing GCE apis. The app engine app and the GCE are in different projects. The app engine service account was added to the GCE permissions with edit privilege. In code, I use the Google APIs Client Library for Python. And for authorization, I have been using oauth2client.appengine.AppAssertionCredentials

This has been working fine, but all of a sudden I am getting 403 errors when trying to access something in GCE, for example the api for the load balancer. I see that the Client Library documentation does state that "If your App Engine application needs to call an API to access data owned by the application's project, you can simplify OAuth 2.0 by using Service Accounts." https://developers.google.com/api-client-library/python/guide/google_app_engine#ServiceAccounts

I don't know if that documentation has changed recently or what else may have changed.

Any thoughts on why this may have stopped working? I don't need to authorize ona per user basis, this is just system to system.

Thanks.

Answer 1

Well it turns out that this was related to some sort of change with google cloud projects. To reset, the GAE project (projectA) was trying to access the GCE api for GCE in a separate project (projectB).

projectA did not have the Google Compute Engine API turned on in the project console. Turning that on resolved the issue. It was not previously turned on yet that worked. So thankfully this one was literally as easy as flipping a switch. I wish they could include something more specific in the error response. I think that would help people running into the same issue.