My previous tokens expired on their one year anniversary. I was notified, and I purchased 100 more.
These new tokens are showing up in my account page when I log into
https://manage.autodesk.com/billing/subscriptions/?product=FLEXACCESS
Yet, when I try to connect to the Forge Oauth server programmatically:
curl -s $FORGE_URL/authentication/v1/authenticate \
-d client_id=$CLIENT_ID \
-d client_secret=$CLIENT_SECRET \
-d grant_type=client_credentials \
-d scope=data:read+data:write
Forge is still not allowing me to run models and is reporting to me:
{"fault":{"faultstring":"Developer Status is not Active","detail":{"errorcode":"keymanagement.service.DeveloperStatusNotActive"}}}
Is there a new client_id, client_secret or some kind of additional application I need to change to begin using my new credits?
Related
I'm trying to deploy Google Cloud Functions using a different service account. I have the service account properties saved to a json file. I swapped out the values to make it easier to read.
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/keys/mynewserviceaccount.json"
gcloud functions deploy MyFunction \
--runtime python37 \
--entry-point MyFunction \
--source src \
--service-account mynewserviceaccount#appspot.gserviceaccount.com \
--verbosity debug \
--stage-bucket staging.projectname.appspot.com \
--trigger-event providers/cloud.firestore/eventTypes/document.write \
--trigger-resource "projects/projectname/databases/(default)/documents/User/{userId}" &
mynewserviceaccount has the following roles. I've tried a few others and haven't had success.
- Cloud Functions Admin
- Cloud Functions Service Agent
- Errors Writer
- Service Account User
- Logs Writer
- Pub/Sub Subscriber
I've also ran
gcloud auth activate-service-account mynewserviceaccount#appspot.gserviceaccount.com --key-file "/path/to/keys/mynewserviceaccount.json"
When I run this, I get:
ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden], message=[The caller does not have permission]
When I try to find "gcloud.functions.deploy" in the Roles list, I don't see it. I don't know if this is an issue with documentation or an issue with the code.
The Docs on cloud functions states that if you want to deploy a function with a service account you have to do an extra step.
You must assign the user the IAM Service Account User role (roles/iam.serviceAccountUser) on the Cloud Functions Runtime service account.
if this was when running gcloud builds submit command, the most likely reason is Cloud Functions Developer role not being enabled for the Cloud Build service.
Navigate to Cloud Build > Settings
Enable Cloud Functions Developer Role
I have setup a compute instance called to run cronjobs on Google Compute engine using a service account with the following roles:
Custom Compute Image User + Deletion rights
Compute Admin
Compute Instance Admin (beta)
Kubernetes Engine Developer
Logs Writer
Logs Viewer
Pub/Sub Editor
Source Repository Reader
Storage Admin
Unfortunately, when I ssh into this cronjob runner instance and then run:
sudo gcloud compute --project {REDACTED} instances create e-latest \
--zone {REDACTED} --machine-type n1-highmem-8 --subnet default \
--maintenance-policy TERMINATE \
--scopes https://www.googleapis.com/auth/cloud-platform \
--boot-disk-size 200 \
--boot-disk-type pd-standard --boot-disk-device-name e-latest \
--image {REDACTED} --image-project {REDACTED} \
--service-account NAME_OF_SERVICE_ACCOUNT \
--accelerator type=nvidia-tesla-p100,count=1 --min-cpu-platform Automatic
I get the following error:
The user does not have access to service account {NAME_OF_SERVICE_ACCOUNT}. User: {NAME_OF_SERVICE_ACCOUNT} . Ask a project owner to grant you the iam.serviceAccountUser role on the service account.
Is there some other privilege besides compute instance admin that I need to be able to create instances with my instance?
Further notes: (1) when I try to not specify --service-account the error is the same except that the service account my user doesn't have access to is the default '51958873628-compute#developer.gserviceaccount.com'.
(2) adding/removing sudo doesn't change anything
Creating an instance that uses a service account requires you have the compute.instances.setServiceAccount permission on that service account. To make this work, grant the iam.serviceAccountUser role to your service account (either on the entire project or on the specific service account you want to be able to create instances with).
Find out who you are first
if you are using Web UI: what email address did you use to login?
if you are using local gcloud or terraform: find the json file that contains your credentials for gcloud (often named similarly to myproject*.json) and see if it contains the email: grep client_email myproject*.json
GCP IAM change
Go to https://console.cloud.google.com
Go to IAM
Find your email address
Member -> Edit -> Add Another Role -> type in the role name Service Account User -> Add
(You can narrow it down with a Condition, but lets keep it simple for a while).
Make sure that NAME_OF_SERVICE_ACCOUNT is service account from current project.
If you change project ID, and don't change NAME_OF_SERVICE_ACCOUNT, then you will encounter this error.
This can be checked on Google Console -> IAM & Admin -> IAM.
Then look for service name ....-compute#developer.gserviceaccount.com and check if numbers at the beginning are correct. Each project will have different numbers in this service name.
I am currently trying to update the user permissions on a project with the function PATCH: project / users (v2) for several services (BIM Docs, Field, Glue, Plan and Schedule) but for other services that Docs I have an error telling me that the services are invalid.
Code documentation here.
When I put only the permissions for project administration and Docs, it works.
However, i want to use the other services. So, when I set permissions for Docs, the rights for others are removed.
After several searches, I can't find a way to perform this command in cURL.
Here is the content:
curl -H "Content-Type: application/json"
-H "x-user-id: %user_admin_id%"
-H "Authorization: Bearer %TOKEN%"
-X PATCH https://developer.api.autodesk.com/hq/v2/accounts/:account_id/projects/:project_id/users/:user_id
-d '{
"services":
{"document_management":{"access_level":"user"},
"field_management:{"access_level":"user"}
},
"company_id":"%company_id%",
"industry_roles":["0b74b631-0a08-49ad-8f44-ada57d7de051"]
}'
Here the error :
"error":[{"message":"Invalid services
[\"field_management\"]","code":2000}]
I already tried field instead field_management.
Any solutions ?
Thanks.
You can not set permission through API, yet.
You can set a service to a project:
https://developer.autodesk.com/en/docs/bim360/v1/reference/http/projects-POST/
services-type parameter.
You also need to have a license to those sub services.
I cannot create a virtual machines in GCE.. While creating it is showing the error message, i have attached my screen-shot of error message.. i will briefly explain what i have done..
--> I have deleted my compute engine default service account from my service account list.. later i created new service account..
--> While creating virtual machines i selected newly created service account, vm creating was failed but the error shows the deleted service account id is not found under service account..
--> While creating vm's it is referring my deleted service account id..
Now what i need to do? Is there is any solution to reactivate my Compute Engine default service account..
Completely iam struck now i cannot create new vms and kubernetes.
To restore your google compute default service account, run the following gcloud command within your project:
gcloud services enable compute
In previous versions the command was known to be:
gcloud service-management enable compute.googleapis.com
As stated in this issue: https://issuetracker.google.com/issues/69612457
You can now "undelete" service accounts by doing a curl request as below:
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-length: 0" "https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_ID:undelete"
SERVICE_ACCOUNT_ID is the id of the account you want to recover
You can get a list of service accounts by running:
gcloud logging read "resource.type=service_account" --freshness=10y
Reference:
https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting_a_service_account
There are two default service accounts and I am not sure which one you are referring to:
Google API service account, in your case it is called: 933144605699#cloudservices.gserviceaccount.com. It is a special service account. It is always created but never listed in gcloud or the web console. It is intended to be used by some of the internal Google processes on user's behalf. GKE may be one of the services that uses this account (I am not sure).
It is impossible to delete this account, the only thing you could do is to remove it from any roles on the project. By default it is an Editor. You can add it back any time.
Default service account: 933144605699-compute#developer.gserviceaccount.com. This is a normal service account, which you may delete.
In the error message you pasted there is a different service account name, is it the new one you created? If this is the case, you might only need to go to IAM settings on the web console and add your user to service account actor. Take a look at this manual page: https://cloud.google.com/compute/docs/access/iam#the_serviceaccountactor_role
First you need to find the removed SERVICE_ACCOUNT_ID. Using Logging advanced queries is:
resource.type = "service_account"
protoPayload.authorizationInfo.permission = "iam.serviceAccounts.delete"
Example here:
==> unique_id value is SERVICE_ACCOUNT_ID
Use the API provided by #sherief-el-feky :
curl -X POST -H "Authorization: Bearer $ (gcloud auth print-access-token)" -H "Content-length: 0" https://iam.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_ID : undelete "
Logging advanced queries: https://cloud.google.com/logging/docs/view/advanced-queries
As of Feb 2022, use
gcloud beta iam service-accounts undelete <ACCOUNT ID>
ACCOUNT ID is the 21 digit unique id (uid) which last part of the deleted service account.
For example,
deleted:serviceAccount:abc-project#kubeflow-ml.iam.gserviceaccount.com?uid=123451234512345123451
uid is the last part of the above service account.
I'm super new to developer BOX and I would like to create an app only user in my BOX account. I found out this link which guides me through the process. BUT, I'm not able to find out ho to proceed with the following things:
1) How to request an enterprise access token using the JWT
2) How to use the enterprise access token to make a request for a new app user.
I'm super sorry if this question is stupid or trivial. I'm super new to this area and I really hope I get some help as I would love to work more in this field.
This page on the Box documentation site walks through how to create an Enterprise access token.
As you mentioned once you generate the Enterprise access token, you can then create a new App User using the Users endpoint. Here's an example in cURL for this.
curl https://api.box.com/2.0/users \
-H "Authorization: Bearer REPLACE_WITH_YOUR_ENTERPRISE_ACCESS_TOKEN" \
-d '{"name": "Example Name", "is_platform_access_only": true}' \
-X POST