I have a new Debian GCE VM which has full access to Google Cloud services. I'm able to access most of the services from this instance. However I'm unable to access task queues.
host:~/home$ curl
"https://www.googleapis.com/taskqueue/v1beta2/projects/project/taskqueues/
my-queue/tasks" -H "Authorization":"Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxx"
{
"error": {
"errors": [
{
"domain": "global",
"reason": "insufficientPermissions",
"message": "Insufficient Permission"
}
],
"code": 403,
"message": "Insufficient Permission"
}
}
From my other VM which has fine grained access to individual services, I'm able to access task queue. Is this a known issue?
It's not possible, I got the answer from Google about TaskQueue REST API:
The REST API has it's own auth mechanism using access control lists.
Since this API is experimental, we have no plans of offering full IAM
integration. Instead, we are building a new API which will replace
this one with full IAM support.
A workaround is to set export GOOGLE_APPLICATION_CREDENTIALS=/path/to/servicekey.json.
Related
I am running the follwing code in my gcloud cmd shell which is intended to export a specific table from my database to a storage bucket:
gcloud sql export sql databasen gs://my_bucket/file_nam,e.sql --async --database=database--table=table --offload
I keep on getting an error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.sql.v1beta4.SqlOperationsService.Get",
"service": "sqladmin.googleapis.com"
}
}
]
}
I have already authenticated myself in the shell with gcloud auth login and given CloudAdmin IAM authority to the service account for the sql instance. I also have all the cloudsql cloud APIs enabled.
I am at loss and would appreciate any direction here. Thank you!
Every request your application sends to the Cloud SQL Admin API needs to identify your application to Google.
This error can occur if you haven't set up the OAuth header properly.To address this issue, repeat the steps to verify your initial setup.
When you run the code from your local machine, you need to make your own OAuth token accessible to the code by using one of the following authentication methods:
-- Using Service account:
Create a Service Account and download a JSON key.
Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the downloaded service account key file (JSON).
The same google.auth.default documentation code you use also checks this special environment variable for the set JSON OAuth token and uses it automatically.
You can check if the service account is the active one on the instance by running the following command:
gcloud auth list
I would also recommend you check the official documentation for Export SQL and Best Practices
Also do check these examples for similar implementation:
Authorize Cloud sql admin api call
Google Cloud admin authentication
Permissions for google cloud sql export
I´m using dialogflow with http request on a project that works in twilio, with the recent need of migration to v2 API of dialogflow the client access token will not work. Reading the new authentication, I generated the json following the instructions in the google cloud docs, but can´t make it works. Because I need to do all the interaction through POST requests to the dialogflow agent, does anyone know how I can generate the authentication token well?
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
Thanks
This is the function code that today works to make the http request. The problem is that all the services are in Twilio and i dont have access to the server, for that I cant define the environment variable.
Twilio Function code
Twilio Fuctions uses NodeJs and allow me to install many npm modules, with the following limitation: "Native Packages Not Supported - Functions does not provide a C/C++ compliler required to complie native addon modules. This means modules that depend on node-gyp can not be installed to Functions."
I don´t know if this limitations affect service acount working to me in this case.
I have written a Java application using Google's SDK v3 and Java 8 to download binary files from Google Drive (not Google doc or sheets or anything like - binary files I uploaded there). My app has no trouble listing the files, but when I try to download one I get a permissions error:
Exception in thread "main" com.google.api.client.http.HttpResponseException: 403 Forbidden
{
"error": {
"errors": [
{
"domain": "global",
"reason": "appNotAuthorizedToFile",
"message": "The user has not granted the app 38578455738 read access to the file 1acfVsq9dUUYuk6q9gM69aWVasvdfr.",
"locationType": "header",
"location": "Authorization"
}
],
"code": 403,
"message": "The user has not granted the app 38578455738 read access to the file 1acfVsq9dUUYuk6q9gM69aWVasvdfr."
}
}
The code that attempts to download is:
String fileId = "1acfVsq9dUUYuk6q9gM69aWVasvdfr";
OutputStream outStream = new ByteArrayOutputStream();
service.files().get(fileId).executeMediaAndDownloadTo(outStream);
My questions are:
How do I know that my app is 38578455738?
How do I grant it (or anyone) permission to download?
I have tried using the Google Drive web interface to share with "anyone" but that didn't help.
Service accounts are not you. Think of a service account as a dummy user. It has its on Google drive account, Google calendar account and probably a few more.
The good thing with service accounts is they can be preauthorized this makes them be idea for use with server to server communication like cron jobs.
Exception in thread "main" com.google.api.client.http.HttpResponseException: 403 Forbidden
{
"error": {
"errors": [
{
"domain": "global",
"reason": "appNotAuthorizedToFile",
"message": "The user has not granted the app 38578455738 read access to the file 1acfVsq9dUUYuk6q9gM69aWVasvdfr.",
"locationType": "header",
"location": "Authorization"
}
],
"code": 403,
"message": "The user has not granted the app 38578455738 read access to the file 1acfVsq9dUUYuk6q9gM69aWVasvdfr."
}
}
Means exactly that. The user who owns the file 1acfVsq9dUUYuk6q9gM69aWVasvdfr has not granted the application 38578455738 access to their data.
IMO this error message is a little miss leading this is why i have asked you to post your authentication code. The way the error message reads makes me think that the currently authenticated user is not the service account and that this user has not gone though the consent process.
However if you are currently logged in as the service account. Its actually the service account user who does not have access (this assumes that your using service account authentication code when you are logging in to download the file. ). Then in order for the service account to access the file. The user who owns it must share the file with the service account. To do that take the service account email address go to the Google drive website find the fine in question and share the file with the service account. Give it read or write access which ever it needs. The service account should then have access to the file.
You know that your app is 38578455738 because you register your application in the Google API Console.
You authorize your app using OAuth 2.0, with the user granting Google a scope of access that includes download, such as https://www.googleapis.com/auth/drive.readonly
Relevant links:
About Authorization -
https://developers.google.com/drive/api/v3/about-auth
Setting up API Keys -
https://support.google.com/googleapi/answer/6158862?hl=en
I was able to use the client_secret.json follow to query a googlespread sheet in my application using the google spreadsheets API.
However, someone else using my application gets a 403 permission denied error.
Using the developer console, I can create a new user for the project, but this just returns the client_secret.json file I already have.
How do I give permission to the user?
INFO:oauth2client.client:Refreshing access_token
ERROR:kernel_admin.__main__:{
"error": {
"code": 403,
"message": "Google Sheets API has not been used in project
626378963637 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/sheets.googleapis.com/overview?project=626378963637 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.Help",
"links": [
{
"description": "Google developers console API activation",
"url": "https://console.developers.google.com/apis/api/sheets.googleapis.com/overview?project=626378963637"
}
]
}
]
}
}
Go to you Google Dev Console and enable Sheets API first:
To create permissions for files in your drive (that includes Google Spreadsheets), use Permissions.create.
I have the gmail api activated and I am on an instance with "full API access to all Google Cloud services". When I run the following from the instance:
credentials = GoogleCredentials.get_application_default()
service = build('gmail', 'v1', credentials=credentials)
service.users().messages().list(userId='me').execute()
I get:
HttpError: <HttpError 403 when requesting https://www.googleapis.com/gmail/v1/users/me/messages/send?alt=json returned "Insufficient Permission">
I have tried several other gmail-api calls and this is always the response.
You will need to use OAuth 2.0 for Server to Server Applications method.