403 “Request had insufficient authentication scopes” during gcloud container cluster get-credentials

Question

From a VM in GCE, I did the following

gcloud auth activate-service-account --key-file 
# \"blah\" is a service account key file (JSON) I generate         


        

Answer 1

There is now a solution (in beta and alpha only) to set scope on an existing GCE VM. All it needs to be successful is to stop the VM before executing the command.

First, you should be aware (and copy) current scopes of your VM so you can set them along with your new scopes, use:

gcloud compute instances describe your-instance

At the bottom you should see a list of scopes, copy them.

Then, read documentation for this command in beta (available to everyone but to be used at your own risk): https://cloud.google.com/sdk/gcloud/reference/beta/compute/instances/set-scopes

Before you execute this command, stop the instance from the GCE page and wait for it to be shut down. A scary warning will appear, be aware that if the VM does not shut down gracefully in 90 seconds (= all processes and services successfully turned off) the file system might get corrupt when force shutting down the VM. Take good note and backup important files if you feel unsafe about this.

For me, with the existing scopes plus the new one (cloud-platform) the resulting set-scopes command was:

gcloud beta compute instances set-scopes my-instance --zone=us-central1-a --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append,https://www.googleapis.com/auth/cloud-platform