Question 281572 in PHP Question posted in
Official manual can be found here.

How to debug Google APIs Client Library for PHP error ACCESS_TOKEN_SCOPE_INSUFFICIENT

We’re using Google APIs Client Library for PHP (https://github.com/googleapis/google-api-php-client) using authentication with Service Accounts.

The code is

putenv('GOOGLE_APPLICATION_CREDENTIALS=' . $google_api_key_file_path);
$client = new Google_Client();
$client->setApplicationName('Google Translate API');
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Translate::CLOUD_TRANSLATION);
$service = new Google_Service_Translate($client);
$projects = $service->projects;
$postbody = new Google_Service_Translate_TranslateTextRequest();
$postbody->setContents($contents);
$postbody->setSourceLanguageCode($source_lang);
$postbody->setTargetLanguageCode($target_lang);
$result = $projects->translateText('projects/myproject', $postbody)->translations;

The code worked fine until about a month ago, but now returns this error:

{ "error": { "code": 403, "message": "Request had insufficient authentication scopes.", "errors": [ { "message": "Insufficient Permission", "domain": "global", "reason": "insufficientPermissions" } ], "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT", "domain": "googleapis.com", "metadata": { "service": "translate.googleapis.com", "method": "google.cloud.translation.v3.TranslationService.TranslateText" } } ] } }

Nothing has changed at the code level or at the account settings level on Google.

The API are enabled and the same Service Account works fine with other APIs.

enter image description here

We tried disabling and re-enabling the API again.

Tags:

2

Answers


  1. 0

    Scope is basically defined as what you are allowed to query. So if you have a token that has read-only access to list A, and you try to use it to update list A, you will receive an out-of-scope error (general API usage).

    The scope is not set on the code being ran to fetch the data, the scope is defined on the token. So you either need to update the tokens’ scope, or you need to determine what data your code is trying to fetch and modify it.

    Take a GitHub personal access token as an example. When you create it you have to define its scope: is it allowed to administer a repository, read users comments, be used in a notification context…etc.

    As you aren’t using a token, and using default credentials, do you know for a fact that the user identified by those credentials has the correct scope/authorization (not authentication!).

    Google text translation requires one of the following OAuth scopes:

    https://www.googleapis.com/auth/cloud-translation
    https://www.googleapis.com/auth/cloud-platform

    I would just check the account that is using the credential or ask Google.

    HTH

    Login or Signup to reply.
  2. 0

    Add the OAuth Scope CLOUD_PLATFORM when creating the client.

    $client->addScope(Google_Service_Translate::CLOUD_PLATFORM);

    Google has been tightening security and adjusting the permissions granted by IAM roles and OAuth Scopes. Without granting the CLOUD_PLATFORM scope, the IAM roles assigned to the service account will not be granted. My guess is that the translation service is using some APIs that Google Cloud manages (e.g. storage). However, I do not know the details of the underlying service.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search