Solved: Access Denied: BigQuery: Missing required OAuth sc... - Page 2

efgxc · 11-27-2023 11:37 AM

Access Denied: BigQuery BigQuery: Missing required OAuth scope. Need BigQuery or Cloud Platform write scope.

I am running gcloud commands on a GCP VM that's authenticated as the service service account in the project with the BQ datasets. I have now added 100% of the available permissions to the user — 7687/7687 are excess — and am still receiving this error.

Can you please let me know which permissions I am missing?

Full response:

/usr/lib/google-cloud-sdk/platform/bq/bq.py:17: DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13
import pipes
Upload complete.
BigQuery error in load operation: Error processing job 'leadbox-
analytics:bqjob_r28cadb4c97b80fc2_0000018c123dcce8_1': Access Denied: BigQuery BigQuery: Missing required OAuth
scope. Need BigQuery or Cloud Platform write scope.

ms4446

The error message "Access Denied: BigQuery BigQuery: Missing required OAuth scope. Need BigQuery or Cloud Platform write scope" indicates that the issue lies with the OAuth scopes of the GCP VM instance from which you are executing the gcloud commands, not with the permissions of the service account itself. OAuth scopes define the extent of access the VM instance has to Google Cloud services. Even if the service account possesses all the required IAM roles, the VM instance won't be able to perform certain operations on BigQuery if it lacks the appropriate OAuth scopes.

To address this error, you must ensure that the VM instance has the correct OAuth scopes. Here's the procedure:

Checking Current OAuth Scopes

Verify Current Scopes: Verify the current scopes of your VM instance using the following command:

gcloud compute instances describe [INSTANCE_NAME] --format='value(serviceAccounts[].scopes[])'

Replace [INSTANCE_NAME] with the name of your VM instance.

Identifying Missing Scopes: If the necessary BigQuery scopes are absent, you'll need to set them. The likely required scopes are:
- https://www.googleapis.com/auth/bigquery: For BigQuery access
- https://www.googleapis.com/auth/cloud-platform: For broader access to GCP services

Modifying OAuth Scopes

Unfortunately, modifying the scopes of an existing VM instance directly is not possible. You'll either need to create a new instance with the correct scopes or stop and edit the existing instance.

Option 1: Creating a New VM Instance with Correct Scopes

Create New Instance: If creating a new instance, use the --scopes flag to specify the necessary scopes:

gcloud compute instances create [NEW_INSTANCE_NAME] \ --scopes=https://www.googleapis.com/auth/bigquery,https://www.googleapis.com/auth/cloud-platform \ [OTHER_OPTIONS]

Replace [NEW_INSTANCE_NAME] with the name for your new instance, and [OTHER_OPTIONS] with any other configuration options you need.

Migrate to New Instance: If you created a new instance, transfer any necessary data or configurations from the old instance to the new one.

Option 2: Stopping and Editing the Existing Instance

Stop Existing Instance: Stop the existing VM instance using the gcloud compute instances stop [INSTANCE_NAME] command.
Edit Scope: Edit the instance configuration to include the required OAuth scopes.
Restart Instance: Restart the instance using the gcloud compute instances start [INSTANCE_NAME] command.

Considerations

Modifying VM instances and their scopes can affect other services and applications running on those instances. Ensure to plan and test accordingly to avoid disruptions.

By following either of the two options described, you should be able to resolve the OAuth scope issue and allow your gcloud commands to interact with BigQuery as expected.

View solution in original post

Access Denied: BigQuery: Missing required OAuth scope. Need BigQuery or Cloud Platform writ