On my local macOS the following command worked fine:
$ gcloud source repos clone myrepo --project=myproject
(though I'm not sure it worked not because previously I followed the ~/.gitcookies procedure)
But when I do this on CE:
$ gcloud source repos clone myrepo --project=myproject
ERROR: (gcloud.source.repos.clone) PERMISSION_DENIED: Request had insufficient authentication scopes.
$ gcloud source repos list
ERROR: (gcloud.source.repos.list) User [<digits>[email protected]] does not have permission to access project [<myproject>] (or it may not exist): Request had insufficient authentication scopes.
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* <digits>[email protected]
In IAM tab I see this service account has the "Editor access to all resources" but it does not help. Even if I add roles Source Repository Read+Write.
UPD: also I can't find the .clone role in Roles tab:
$ gcloud help source repos
COMMANDS
COMMAND is one of the following:
clone
Clone a cloud source repository.
create
Create a cloud source repository.
delete
Delete a cloud source repository.
describe
Describe a cloud source repository.
get-iam-policy
Get the IAM policy for the named cloud source repository.
list
List the repositories the currently active project.
set-iam-policy
Set the IAM policy for the named repository.
But it is probably included in .get and so Reader that I already tried:
UPD2: sudo /usr/local/share/google/google-cloud-sdk/bin/gcloud components update did not help.
The only two options I imagine right now are either edit the
(it is the only thing I've found in Internet that seems to be a solution but that blog post is written in some eastern language so I'm not sure) but it would need the VM stop that is not acceptable.
Or forge an another service account but I'm not sure that switching it in gcloud CLI won't break other applications running on that machine. Or maybe I can use it only once when cloning the repo and it will stick with it?
If you are using the service account of the Google Compute Engine instance, as you can read here[1] you need to grant Access scopes to Cloud Source Repositories to Full or Read/Write. To do that you must stop the instance.
If you do not want to stop the instance, you can create a new Service Account and use the following command to activate the service account:
$ gcloud auth activate-service-account --key-file=[KEY.JSON]
and this one to start using the new service account with the gcloud tool:
$ gcloud init
If you use the role editor in this new service account, there is a known issue as the role editor does not have the source.repos.create permission.
$ gcloud iam roles describe roles/editor | grep "source.repos"
As a workarround, in order to create a Cloud Source Repositories you would need to have the role: "roles/source.admin" as you can read here [2]: "Provides permissions to create, update, delete, list, clone, fetch, and browse repositories. Also provides permissions to read and change IAM policies."
Here[3] you can keep track of the status of this issue but keep in mind that there is no ETA nor guaranty that will be fixed.
[1] https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam
[2] https://cloud.google.com/iam/docs/understanding-roles#source_repository_roles
[3] https://issuetracker.google.com/80329938