Re: ACCESS_TOKEN_SCOPE_INSUFFICIENT when debugging...

Antoine_Compagn · 05-29-2022 02:40 PM

I wanted to deploy this website to a GCP VM, using the free tier, following this tutorial, but unfortunately, when I click Live preview I get the following message:

There has been a critical error on this website. Please check your site admin email inbox for instructions.
Learn more about troubleshooting WordPress.

The first thing I thought when I searched the Internet was that my machine did not have enough RAM memory as explained in this forum post:

So I tried to open the logs with SSH on GCP but I seem to be missing permissions:

officialdataguild@the-data-guild-wordpress-website-vm:~$ gcloud app --project data-guild instances enable-debug
ERROR: (gcloud.app.instances.enable-debug) User [404558716940-compute@developer.gserviceaccount.com] does not have permission to access apps instance [data-guild] (or it may not exist): Request had insufficient authentication scopes.
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: googleapis.com
  metadata:
    method: google.appengine.v1.Services.ListServices
    service: appengine.googleapis.com
  reason: ACCESS_TOKEN_SCOPE_INSUFFICIENT

If you are in a compute engine VM, it is likely that the specified scopes during VM creation are not enough to run this command.
See https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam for more information about access scopes.
See https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes for how to update access scopes of the VM.

The first link allows me to know that I have to enable the associated API in the project.

Access levels only work if the associated API has been enabled in the project to which the service account belongs. For example, granting an access level to Google Cloud Storage on a virtual machine instance allows the instance to call the Cloud Storage API only if you have enabled the Cloud Storage API in the project.

So how can I enable the associated API in my project?

From the deployment manager dashboard I tried to identify the VM's instance name

Yet it seems I still have a scope problem ...

officialdataguild@the-data-guild-wordpress-website-vm:~$ gcloud compute ssh the-data-guild-wordpress-website-vm --project=the-data-guild-website
Did you mean zone [us-central1-c] for instance: [the-data-guild-wordpress-website-vm] (Y/n)?  

ERROR: (gcloud.compute.ssh) Could not fetch resource:
 - Request had insufficient authentication scopes.

But now it's even stuck to this message:

So I went to the log explorer page but it seems there is nothing when I click on the theme live preview on wp-admin themes page:

grobledo

Taking a look at the logs, most probably the issue was at the creation of the VM; when you first turned on the instance, a window pops up asking to confirm for the scopes it is allowed to, if any of the boxes is not checked, this can happen.

Although it is possible to assign those scopes manually to the already created instance, I recommend going through the automatic setup again, since it is not easy to determine which scopes are needed for a specific implementation like this.

Here you can take a look at the Access Scopes documentation so you can understand them better.

Antoine_Compagn

Hi and thanks for your answer @grobledo ! Unfortunately I haven't seen any windows pop up like these when creating the Virtual Machine with bitnami. Actually, it happens exactly as in the video

ACCESS_TOKEN_SCOPE_INSUFFICIENT when debugging a website hosted on a GCP VM, how can I enable the as