Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Storage: app_identity_service.GetAccessToken NOT_ALLOWED

See original GitHub issue
  • GAE standard env
  • google-cloud-storage==1.9.0

steps to reproduce:

  • create a long-lived Bucket object
  • do some file operations, under the hood it will get an access_token from IdentityService for you
  • keep your Bucket instance live for at least 1h (so that access token can expire)
  • next time when you’ll try to get a fresh token from IdentityService it will raise NotAllowed exception

code example: https://github.com/zyzniewski/app_identity_service_bug/blob/master/main.py

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:1
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
theacodescommented, May 29, 2018

Yeah there’s definitely a possibility that App Engine can’t do authentication outside of a request context, so I would suggest creating your client during your request.

Also, we don’t fully support App Engine standard yet in these libraries. See #1893.

0reactions
jacobgcommented, Jan 10, 2019

I’m also running into this issue with the Firebase Admin SDK on GAE Python 2.7. I call firebase_admin.initialize_app() when the app starts up. I thought maybe that happens under /_ah/warmup request. And it works fine, but then after an hour, when it needs to refresh during another request, it fails. But how is that out of “request context”? Or do you mean that a request can’t refresh a token that a different request originally generated?

If I call firebase_admin.initialize_app() on every request where I need it, will that add latency? Are there any other throttles on # of access tokens generated?

  File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/auth.py", line 252, in get_user_by_email
    response = user_manager.get_user(email=email)
  File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/_user_mgt.py", line 397, in get_user
    response = self._client.request('post', 'getAccountInfo', json=payload)
  File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/firebase_admin/auth.py", line 513, in request
    resp = self.session.request(method, self.ID_TOOLKIT_URL + urlpath, **kwargs)
  File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/transport/requests.py", line 198, in request
    self._auth_request, method, url, request_headers)
  File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/credentials.py", line 122, in before_request
    self.refresh(request)
  File "/base/data/home/apps/s~f/1.415261650055915972/sitepackages/prod/google/auth/app_engine.py", line 118, in refresh
    self._scopes, self._service_account_id)
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 605, in get_access_token
    scopes, service_account_id=service_account_id)
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 558, in get_access_token_uncached
    return rpc.get_result()
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/apiproxy_stub_map.py", line 615, in get_result
    return self.__get_result_hook(self)
  File "/base/alloc/tmpfs/dynamic_runtimes/python27g/7e468a4e2dbc991a/python27/python27_lib/versions/1/google/appengine/api/app_identity/app_identity.py", line 529, in get_access_token_result
    raise _to_app_identity_error(err)
NotAllowed
Read more comments on GitHub >

github_iconTop Results From Across the Web

Interface AppIdentityService (2.0.0) | Google App Engine ...
The AppIdentityService allows you to sign an arbitrary byte array using a per app ... Most developers should use getAccessToken instead.
Read more >
No 'Access-Control-Allow-Origin' header with resumable upload
Ran into this problem and discovered that it was due to a missing "origin" header in the initial POST request coming from App...
Read more >
Google-cloud-storage CORS Setting - iTecNote
I've done the CORS set to bucket of google cloud storage, there is no Access-Control-Allow-Origin ... getScopes(); String accessToken = appIdentityService.
Read more >
Diff - external/googleappengine/python - Google Git
+ # We are not allowed to begin fetching the response to this new + ... + See https://developers.google.com/storage/docs/xml-api-overview ...
Read more >
com.google.appengine.api.appidentity.AppIdentityService ...
getAccessToken (scopes); ... AppIdentityService (Showing top 18 results out of 315) ... Uploading files to Google Cloud Storage using JSON API, ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Stackdriver: list descending entries fails after a short moment

Next page

General: v0.33.0 pip install fails