i am trying to create a DialogFlow CX agent and call webhook Cloud function. The primary criteria for authentication is to use the service account. I expected this to be created automatically as per the docs mentioned here but I just cant see it in my IAM list.
Is this a bug or am i looking at something else?
Services accounts are created only when needed. If you proceed to add the webhook to the cloud Function, test it and then go to the IAM & Admin page you should be able to see it. Please, remember to mark the Include Google-provided role grants checkbox to be able to see it. If it is not created you can always manually do it as it shows in the documentation that you linked with the command:
gcloud beta services identity create --service=dialogflow.googleapis.com --project=agent-project-id
Related
I have a requirement where I need to trigger a cloud function which in turn triggers a data flow job once a file is placed in google cloud storage bucket of another project. Google documentation says its not possible, please see here https://cloud.google.com/functions/docs/calling/storage
However, I tried doing this and my cloud function failed to deploy with below error. It says
Looks like this is a permission issue and if required permission are given , this will work.
Do I need to add and give owner permission to #appspot.gserviceaccount.com of the project(project A) from where I am trying to access the bucket of another project(Project B)
So if the above is true, In my project B IAM page, I will see 2 as below
#appspot.gserviceaccount.com OWNER
#appspot.gserviceaccount.com EDITOR
Any inputs on this is much appreciated.
It's not possible to catch event from other projects for now. But there is a workaround.
In the project with the bucket, create a PubSub notification on Cloud Storage
On the topic that you created, create a push subscription. Use the Cloud Functions URL, and secure the PubSub call (you can get inspiration from there. If you are stuck, let me know, I will take more time to describe this part)
On the Cloud Functions grant the PubSub service account as cloudfunctions.invoker role
EDIT 1
The security part isn't so easy at the beginning. In your project B (where you have your Cloud Storage), you have created a PubSub topic. On this topic you can create a notification with a service account created in the project B. Take care to well fill in the audience
Then, you need to grant this "project B" service account as roles/cloudfunctions.invoker on the Cloud Function of the project A
# Create the service account
gcloud iam service-accounts create pubsub-push --project=<ProjectB>
#Create the push subscription
gcloud pubsub subscriptions create \
--push-endpoint=https://<region>-<projectA>.cloudfunctions.net/<functionName> \
--push-auth-service-account=pubsub-push#<projectB>.iam.gserviceaccount.com \
--push-auth-token-audience=https://<region>-<projectA>.cloudfunctions.net/<functionName> \
--topic=<GCSNotifTopic> --project=<ProjectB>
#Grant the service account
gcloud functions add-iam-policy-binding --member=serviceAccount:pubsub-push#<ProjectB>.iam.gserviceaccount.com --role=roles/cloudfunctions.invoker <FunctionName> --project=<projectA>
Last traps:
The Cloud Functions in the project A haven't the same signature if it's an HTTP functions (callable by a pubsub push subscription) or a Background Function (callable by events, such as CLoud Storage event). You need to update this according to the documentation
The PubSub message sent to the Cloud Functions is slightly different. Take care to update the input param accordingly.
Google documentation says its not possible
This is all you need to know. It is not possible. There are no workarounds, regardless of what sort of error messages you might see.
Hey Respected Community!
I started learning to create google actions.
so i created very basic google action. which invokes by 'hey google talk to Doctor Strange'
and after adding 1 more transition which displays suggestion. I saved it and trying to test it.
but continously getting error.
cloud function deployment failed.
i am continously trying to test it but getting error.
Can anyone help me what i am missing?
thanks in advance
As you surmise in your comments, using the Inline Editor for the webhook fulfillment requires you to have billing enabled for the cloud project it is attached to. (This is because it uses Cloud Functions for Firebase under the hood, and this requires billing to be enabled, even if you limit yourself to the free tier.)
You don't need to use the Inline Editor, or even Google Cloud Functions, for your webhook. All you need is a public HTTPS server that can accept and respond with JSON.
I have added the role "Cloud Tasks Enqueuer" to my project-id#appspot.gserviceaccount.com service account (see first screenshot). However, when I try and check if the account has permission to call "cloudtasks.tasks.create" it says that the service account lacks the cloudtasks.enquerer role (second screenshot). What is going wrong?
(note: I am adding this role to try and solve my other question, creating Google Cloud Task in a firebase function)
Whoops, turned out that I had two projects with similar names, and I got confused. The firebase project was project-prod created through firebase, and the google cloud project was project created through google cloud.
Therefore, I granted permissions to the correct service account but for the wrong project. The debugger was working correctly!
I've written an Azure Function in PowerShell and I'd like to make some queries to my Azure Table from this Function. I'm not sure how to authenticate.
How do i get my function to access my azure table ?
*Tried to leverage Managed Identity but did not go anywhere with it
*Same with Service Principal
*It works if i use connect-azuread but the function prompts me with a link and a machine code to authenticate
Thanks!
David
For Azure Function, if you enable the Identity and assign the role assignment for it. And then it will already have the permission according to the assignment if you create the PowerShell script and run it. So you do not need to authenticate for the Managed Identity. You just need to assign the permission to the MSI.
You can check it through the command like this:
$context = Get-AzContext
$context.Account
Then you can see the output shows like this:
Please can you help me, I'm receiving this error when I'm trying to deploy a google cloud function:
HTTP Error: 400, Default service account 'project-name#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.
The command used to deploy is:
firebase deploy --only functions
A temporary solution is fine, but if you can help me to solve it permanently is better.
Thanks in advance.
In my case, the App Engine default service account was deleted. It looks like this: {project_id}#appspot.gserviceaccount.com
So I had to restore the service account like this:
You can now recover the deleted service accounts from https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/undelete
you have to get the UniqueID of the service account from https://console.cloud.google.com/home/activity
Source: https://stackoverflow.com/a/55277567/888881
The API explorer is an easy way to use the IAM API: https://developers.google.com/apis-explorer/#p/
I was struggling to resolve this issue, then I raised a case with Google.
here is a detailed article of my learnings :
https://medium.com/#ashirazee/http-error-400-default-service-account-appspot-gserviceaccount-com-accd178ea32a
Firstly navigate to Google Cloud Platform and view your service accounts.
try and find <project_id>#appspot.gserviceaccount.com' in your list of service accounts for the firebase project, it is linked to the App Engine.
if '#appspot.gserviceaccount.com' is missing you can not deploy anything(SEE EMAIL WITH GOOGLE BELOW), if it isn't, check and see if it's enabled, try disabling it and enabling it again.
#appspot.gserviceaccount.com is pre-installed by default, regardless of a paid account or not. try and recall if at any time you may have deleted it after or before deployment.
Now if you have for any reason deleted it over a period of more than 30 days than you can not retrieve it, and you must create a new firebase project. However, if it is within 30 days you can undelete it.
EMAIL FROM GOOGLE:
Email #1
"
Hello Ali
I am checking the logs of your project, unfortunately the service account was deleted on Ma, there is no chance to recover it nor recreate it
The only workaround available is to create a new project and deploy the service desired there. I know this could not be the best option for you nevertheless it is the way this works by design.
Do not hesitate to write back if you have more questions.
Cheers,"
Email #2,
"Hello Ali
I am glad to read that you have been able to deploy your functions successfully, unfortunately that service account cannot be recovered after 30 days of being deleted and that is the only solution. If you have other questions, please let us know by contacting us again through our support channel.
Cheers,"
lastly here is a helpful command line that will help you debug this, however, it won't help if there is no service account, it'll just highlight the obvious:
firebase deploy --only functions --debug
this was my error:
"HTTP Error: 400, Default service account '<project_id>#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Clo
ud Functions API), or specify a different account."
Following the error message, you could enable the API by console accessing this url and enable the api.
Or by gcloud command:
gcloud services --project <project_id> enable cloudfunctions.googleapis.com
As the other stated, sadly, you need to use the default service account.
If within the 30 days period, you can use this tutorial to find and undelete the service acc: Read this guide to get https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting_a_service_account
You have to enter the commands through the Google Cloud Console (one of the buttons will open a terminal on the right of the top blue app bar)
try to select Google Cloud Platform (GCP) resource location in Setting of Firebase. enter image description here