Cannot get service account authorization to work on GCS script using Python client lib APIs

Question

In attempting to write a python script to access GCS using service-based authorization, I have come up with the following. Note that 'key' is the contents of my p12 file.

I am attempting to just read the list of buckets on my account. I have successfully created one bucket using the web interface to GCS, and can see that with gsutil.

When I execute the code below I get a 403 error. At first I thought I was not authorized correctly, but I tried from this very useful web page (which uses web-based authorization), and it works correctly. https://developers.google.com/apis-explorer/#p/storage/v1beta1/storage.buckets.list?projectId=&_h=2&

When I look at the headers and query string and compare them to the keaders and query of the website-generated request I see that there is no authorization header, and that there is no key= tag in the query string. I suppose I thought that the credential authorization would have taken care of this for me.

What am I doing wrong?

code:

credentials = SignedJwtAssertionCredentials(
      'xxx-my-long-email-from-the-console@developer.gserviceaccount.com',
      key,
      scope='https://www.googleapis.com/auth/devstorage.full_control')
http = httplib2.Http()
http = credentials.authorize(http)

service = build("storage", "v1beta1", http=http)

# Build the request

request = service.buckets().list(projectId="159910083329")

# Diagnostic

pprint.pprint(request.headers)
pprint.pprint(request.to_json())

# Do it!

response = request.execute()

When I try to execute I get the 403.

Answer 1

I got this working, however, the code I used is not fundamentally different from the snippet you posted. Just in case you'd like to diff my version with yours, attached below is a complete copy of a Python program that worked for me. I initially got a 403, just like you, which was due to inheriting your project id :). After updating that value to use my project ID, I got a correct bucket listing. Two things to check:

1. Make sure the project id you are using is correct and has the "Google Cloud Storage JSON API" enabled on the Google Developer Console "Services" tab (it's a different service from the other Google Cloud Storage API).

2. Make sure you are loading the service accounts private key exactly as it came from the developer's console. I would recommend reading it into memory from the file you downloaded, as I've done here, rather than trying to copy it into a string literal in your code.

---

#!/usr/bin/env python

import pprint
import oauth2client
from oauth2client.client import SignedJwtAssertionCredentials
import httplib2
from apiclient.discovery import build

f = open('key.p12', 'r')
key = f.read()
f.close()

credentials = SignedJwtAssertionCredentials(
      'REDACTED',
      key,
      scope='https://www.googleapis.com/auth/devstorage.full_control')
http = httplib2.Http()
http = credentials.authorize(http)

service = build("storage", "v1beta1", http=http)

# Build the request

request = service.buckets().list(projectId="REDACTED")

# Diagnostic

pprint.pprint(request.headers)
pprint.pprint(request.to_json())

# Do it!

response = request.execute()
pprint.pprint(response)