permission error for GCP logging router sink update

Question

When calling sink.reload(), I am getting permission error. 403 The caller does not have permission

Any help would be much appreciated.

Here's the code:

def update_sink(creds, sink_name, filter_):
    logging_client = logging.Client(credentials=creds)

    sink = logging_client.sink(sink_name)
    sink.reload()

    sink.filter_ = filter_
    print("Updated sink {}".format(sink.name))

    response = sink.update()

    return response

if __name__ == "__main__":
    # Scope
    # "https://www.googleapis.com/auth/cloud-platform",
    # "https://www.googleapis.com/auth/cloud-platform.read-only",
    # "https://www.googleapis.com/auth/cloudplatformprojects",
    # "https://www.googleapis.com/auth/cloudplatformprojects.readonly",
    # "https://www.googleapis.com/auth/compute",
    # "https://www.googleapis.com/auth/cloudkms",
    # "https://www.googleapis.com/auth/pubsub",
    # "https://www.googleapis.com/auth/logging.read",
    # "https://www.googleapis.com/auth/logging.write",
    # "https://www.googleapis.com/auth/logging.admin"
    creds = {} # OAuth Credentials with above scope
    sink_name = "<sink path with project>"
    filter_ = "<filter>"
    
    response = update_sink(creds, sink_name, filter_)
    
    print(response)

Answer 1

I think, one of the mistakes in my earlier program was that project was not passed as part of Client initialization.

Also, sink.reload() is not needed. One can directly update the sink without calling reload() as well.

Here's the working code:

logging_client = logging.Client(project=project_id, credentials=self.creds)

sink = logging_client.sink(sink_name)

sink.filter_ = filter_

sink.destination = destination

response = sink.update(unique_writer_identity=True)

Answer 2

if you are routing logs from project to sink , then service account/account running code need "Logging Admin" role on project. Please verify if service account running code have Logging admin role to modify/update sink.