Can you clarify which service account you are using?

Based on the error you've linked to [1] (for some reason, your link showed nothing), I agree with your conclusion.

However, the config file you've linked to is not owned by LUCI Milo owners. So, please ask one of https://chrome-internal.googlesource.com/chromeos/manifest-internal/+/0e5d594f284d332bcb2d36080981ae4e690d613e/OWNERS to add your service account as a reader to ChromeOS project.
+akeshet@



[1] https://pantheon.corp.google.com/logs/viewer?project=luci-milo&minLogLevel=0&expandAll=false&timestamp=2018-08-13T19%3A14%3A45.612000000Z&customFacets&limitCustomFacetWidth=true&interval=PT1H&resource=gae_app%2Fmodule_id%2Fdefault&scrollTimestamp=2018-08-13T16%3A55%3A50.869991000Z&logName=projects%2Fluci-milo%2Flogs%2Fappengine.googleapis.com%252Frequest_log&dateRangeUnbound=backwardInTime&advancedFilter=resource.type%3D%22gae_app%22%0Aresource.labels.zone%3D%22us10%22%0Aresource.labels.project_id%3D%22luci-milo%22%0Aresource.labels.version_id%3D%223383-279b300%22%0Aresource.labels.module_id%3D%22default%22%0Atimestamp%3D%222018-08-13T16%3A55%3A50.869991000Z%22%0AinsertId%3D%225b71b81700041a2573989af1%22&dateRangeStart=2018-08-13T18%3A14%3A45.612Z&dateRangeEnd=2018-08-13T19%3A14%3A45.612Z

Don, it looks like you're in the OWNERS file.

Note that Milo's auth is only set up to authorize at the project level:

https://github.com/luci/luci-go/blob/master/milo/common/acl.go#L49

So, while adding this service account to the top-level project access list would presumably work, it isn't ideal from an access control perspective since it would give the service account broad rights.

> #3
correct. Using buildbucket v2 will resolve the problem. It checks only ACLs specified in cr-buildbucket.cfg

--

Don, consider adding
  
  access: "the-em-drive@appspot.gserviceaccount.com"

to

https://chrome-internal.googlesource.com/chromeos/manifest-internal/+/0e5d594f284d332bcb2d36080981ae4e690d613e/project.cfg#

That's a ChromeOS repository, so the OWNERs file is not enforced in any way.

I can add it to the top level project, but is that an acceptable solution? Or are we agreeing that 'it will do for now' until we are 100% on Swarming and the CI API can take over?

Buildbucket V2 does not support Steps for Buildbot, so cannot be used as of today for things like CQ. Hence why I need to get Milo data :)

project access is used in two places:
1) luci-config uses it to decide whether a requester is allowed to read configs of a particular project, or see the project existance
2) milo checks project access as the first step in all requests where project is available (/p/* URLs), and then it checks more fine-grained ACLs (buildbucket)

i think adding the service account to project ACLs is acceptable. Buildbucket ACLs are more sensitive than the project ACL

OK I'll do this.

This worked, took a long time to propagate though. Thank you!