I am trying to set up IAM permissions so that a function can access one of my buckets, but I can't seem to get it to work. What I did was go to the details page on my function and copy the service account of the function:
image of console page
I then took that service account to the bucket page, then clicked "grant access", pasted in the service account as my principal, and gave it "storage admin" and "storage legacy bucket reader" as its roles:
google storage bucket grand access page
Yet I still get an error as my function doesn't seem to have access to the bucket.
For reference, the bucket contains a tensorflow.js model, and everything works fine when I set my bucket to public.
Related
The scope includes data:write data:create, and accessToken can be obtained. But when uploading files through Api, it returns 403 and the message prompt: "No write access".
I checked it according to the document, which means: "The Authorization was successfully validated but permission is not granted. Don't try again unless you solve permissions first.".
I'm not sure if there is something wrong with the permission when get the accessToken, or because the free user has no permission to call the upload file interface. But it worked normally before.
you are correct the scope can be data:write or data:create with uploading file. The most possibility is you are trying to uploading to a bucket which is NOT created by this Forge app. e.g. you may have a few Forge apps (different client id and secret). The bucket may be created by the other Forge app, so this app cannot write the data. Or even the bucket is created by other customers, while you thought you are the owner. Please GET:Buckets firstly to check which buckets available with this app (client id + secret) :forge.autodesk.com/en/docs/data/v2/reference/http/buckets-GET
I have a google function in one project. If I wish to access a bucket (not set to public) for purposes of reading from another project (of another user), how should the same be set for google functions project?
I was trying to approach this by setting the IAM of the storage project to that of the functions project. However, I am not clear which user-account must be provided the access?
Thanks
If you want GCF in project-a to read from GCS bucket "bucket-b" in project-b. Then give PROJECT-B#appspot.gserviceaccount.com the storage.objectViewer IAM permission in project-b (or to bucket-b specifically).
I was trying to run the sample script of Google Apps Script here:
https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs
I believe I set PRIVATE_KEY, CLIENT_EMAIL and USER_EMAIL correctly from JSON file downloaded from Google Developer Console. Also I enabled Google Drive API on the project. But still I get an error in the dialog "Error: invalid_client\n no application name".
Is there any code I should add / change to run this sample script correctly?
In case you are using the correct settings (PRIVATE_KEY,CLIENT_EMAIL and a valid USER_EMAIL), the error could also be related to the permission granted to the application from the domain admin.
Since this example uses domain wide delegation of authority to impersonate the account from the USER_EMAIL, first the domain admin has to grant permissions to the application to perform this kind of operations.
To grant this permissions to the app you can do it by going to: your Admin Console -> Security -> Advanced Settings -> Manage API client access
There you will add the service account CLIENT_ID in the field "Client Name" and in the second field you will add your project scopes separated by commas. These scope should match the scopes that the application uses. In this case id Drive scope and any other you may be using.
Click the button "Authorize" and if everything goes well, then you will be able to impersonate users in your domain with that project.
Here is the related documentation. I hope this helps.
I am integrating ASP.NET application using Google Drive API. For this after authentication we re uploading Files to Google drive. I am using Google client library to Call the APIs.
Everything is working as expected I am able to authenticate user successfully and able to upload the file successfully.
In one scenario when the user Google account is suspended then I am getting refresh token from Google but my upload method is failing and it is not uploading the file to Google drive.
I want to restrict the user on Signup screen itself, when account is suspended.
What parameter do I have to pass to achieve this please suggest?
Unfortunately this info is not easily available. You have two options :
Use the Directory API to see if the user is suspended. This requires additional OAuth permissions to be provided by an admin of the domain.
At login, try and perform a Drive API call to see if you get an error or not. If you get an error (with a couple of retried) and the error message matches the one you had for suspended users, then you can deny access to the user.
See: Is it possible to share a file publicly through Google Drive API
Using the information above, If I attempt to set the necessary permission for a specific file, I receive the following:
Error calling POST https://www.googleapis.com/drive/v2/files/{somefileid} permissions: (403) Insufficient permissions for this file
This error only occurs for google accounts tied to a google apps for edu setup where the admin has unchecked the option Google Apps -> Settings for Drive -> Share Settings -> Outside this organization: "Allow users to publish files on the web or make them visible to the world as public or unlisted files"
Using the Permission feed works fine otherwise, but ideally I would like to know if there is a way to check for this setting beforehand, instead of catching the 403 exception from the drive service.
You can use the About.get() endpoint to get details about the user's Drive, including this sharing setting. The field domainSharingPolicy can have the values allowed, allowedWithWarning, incomingOnly and disallowed. The first two in that list should allow publishing outside the domain, while the second two should not.