I have a Google Cloud Function with a HTTP trigger (which triggers on click on the trigger URL). The permissions for the Cloud Function were on "allUsers" which allows anyone with the link to trigger the function, which is not desired.
Then I saw that it was possible to restrict this by selecting certain Cloud Function Invokers but this does not seem to work : the selected Cloud Function Invokers get an "Access Forbidden" error when triggering the Cloud Function via clicking on the Trigger URL, like if they were not authenticated. Have anyone found a fix for this ?
Thank you
If you no longer access with you remove the allUsers permission is a good sign!
The problem is your access method. You are using your own user account (who has the Cloud FUnction invoker role) but with your browser. Your request with your browser is without any authentication header.
If you want to call your cloud function now, you have to add an authorization header, and an identity token as bearer value. That command works
curl -H "Authorization: bearer $(gcloud auth print-identity-token)" <cloud function URL>
Note that you need an identity token, not an authorization token.
Related
I am writing a Google Apps Script
I'd like to make an https call to an external server.
This server happens to be on GCP (Google Cloud Platform) and sitting
behind IAM.
In order to be able to authenticate with the server, I need to pass an Authorization Bearer header. My problem is, what do I pass as the Authorization Bearer?
From what I understand, I have 2 options that I've tried and failed at:
Use the default GSA appsdev-apps-dev-script-auth#system.gserviceaccount.com. and grant it IAM permissions (that didn't work).
Create a custom GSA, save the private token in the Apps Scripts Properties. However, how do I convert that token to a JWT so I can use it for the Authorization Bearer
I am trying to call the below URL from Google apps script. In my browser it works fine, but when run from Apps script I get the error 'Access denied'.
var response=UrlFetchApp.fetch(url);//Fails with Access denied exception
URL :
Gets stock data in JSON format
'Request failed for http://www.nseindia.com/live_market/dynaContent/live_watch/get_quote/ajaxGetQuoteJSON.jsp?symbol=AXISBANK&series=EQ returned code 403. Truncated server response: Access Denied Access Denied You don't have permission to access "http://www.ns... (use muteHttpExceptions option to examine full response)'
Do i need to do anything extra?
Status 403 indicates that everything went as planned, but the recipient denied the request. Without clarification from the host site, it's hard to say why it's rejecting the request, but it could be anything from the request being denied due to an issue with your code, or they may have a service in place that prevents these kinds of requests from unauthorized IPs.
They may even have blacklisted Google apps script specifically, due to the nature of the site you're connecting too, and the potential for abuse.
I'm trying to get access to my box app via API, i wrote the following API line in "postman":
https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIEN_ID&redirect_uri=https://127.0.0.1
AND THEN I get BOX login window i fill the fields and click on the Authorize button
next i get the following box window : "With access to your Box account, "SharingFileSystem"(my app's name) can:
Read and write all files and folders" with button "Grant access to box"
when I'm clicking on this button (Grant access to box) i get "The server refused the connection."
What i need to do for connect to the BOX by API successfully?
Box is trying to redirect you back to a webserver listening on localhost, as you've specified in the request. This is the Handling the Response from Box part of the OAuth2 workflow. You have two options here:
For a web-based application, run a webserver on localhost that can handle the HTTP redirect from Box, or
For a client application, register a custom scheme for your application in your OS. This can be any arbitrary name, e.g. foo. Use that custom scheme in the redirect_uri field of your original request to Box: redirect_uri=foo://bar. Your OS will then send the redirect parameters to your application.
You can now use the Postman packaged app version to get access tokens for OAuth 2. Helps you avoid the hassle of setting up a server.
I would like to export a list of all users in our Enterprise account. However, it would seem that my co-admin credentials fail to execute the example request listed in the BOX.com API 2.0 documentation:
curl https://api.box.com/2.0/users
-H "Authorization: Bearer ACCESS_TOKEN"
The documentation indicates that this should return the current user's information if executed by a non-admin. However, in my case I am receiving a 403 Forbidden error. Am I missing something or executing this wrong? Does this API command require the main enterprise admin credentials? If I execute with the URL "https://api.box.com/2.0/users/me" it successfully returns my account information.
You should be able to do this when logged in as an admin or coadmin. This appears to be a bug on our end. We're trying to fix it ASAP–I'll update here when it's been fixed.
Im trying to access a Google Apps script via CURL. The problem is that the current session is not sent along when requesting the script and requires me to log in again. How can I maintain the current session vars when making the CURL request?
cURL doesn't send along your browser's session information, as it's a different program. It's not possible to programmatically authenticate with an Apps Script web app.