pull queues authorization from compute

Question

I'm trying to access a pull queue from google compute with the compute OAuth token using python

from oauth2client import gce
from apiclient.discovery import build
import httplib2

credentials = gce.AppAssertionCredentials('')
http = httplib2.Http()
http=credentials.authorize(http)
credentials.refresh(http)
service = build('taskqueue', 'v1beta2', http=http)
tq=service.taskqueues()
tq.get(project=MY_APPENGINE_PROJECT, taskqueue=PULL_QUEUE_NAME, getStats=True).execute()

I keep getting HttpError 403 "you are not allowed to make this api call"

please help, what configure have I missing?

thanks, Shay

Answer 1

UPDATE: Thanks to @Shay for asking this question, the issue he encountered is no longer an issue, as we have allowed aliases to work (when relevant) in the Task Queue API.

For posterity here is the original answer below:

---

Two of the most common mistakes I have seen are:

1. Forgetting to include the s~ in your App Engine Project. For example, if your application ID is my-awesome-app, then you are calling

   tq.get(project='my-awesome-app', taskqueue=PULL_QUEUE_NAME...
   

   when you should be calling

   tq.get(project='s~my-awesome-app', taskqueue=PULL_QUEUE_NAME...
   

2. Forgetting to add the Compute service account to the task queue ACL in queue.yaml. To do this, you need to get the service account associated with your project and add it to the acl:

   queue:
   - name: pull-queue
     mode: pull
     acl:
     - writer_email: 123845678986@project.gserviceaccount.com    # can do all
   

   and of course this would mean PULL_QUEUE_NAME = 'pull-queue' here. Also note, 123845678986@project.gserviceaccount.com should be replaced with the service account for your Compute Engine instance.