I am trying to make a call using the Google Container Engine API via my browser. I have created both a client ID and the public API access key.
When I try to use the public API access key, I always get unuauthorized:
https://www.googleapis.com/container/v1beta1/projects/cohesive-feat-92204/clusters?fields=clusters%2FmasterAuth&key=XXXXXXXXXXXXXXX
(where XXXXX... is my key)
Is there a document that describes all the required values for the call? How you specify the client ID and the client secret etc...where you put in the scope, etc...
This link https://cloud.google.com/container-engine/docs/v1beta1/libraries gives me a 404
This is the same question as Google Container Engine REST API Authorization and the answer is that a public API access key cannot be used to access the Google Container Engine API.
Related
In Postman, I have my GET request set up to where I can get the correct access key using grant_type, client_id, client_secret, and resource in my request body.
I'm trying to get this working in Google App Script, however there does not appear to be a setResource function. I've looked through the documentation and could not find an alternative. Is it possible to somehow set the resource to get the proper access key with Google App Script OAuth2?
https://github.com/googleworkspace/apps-script-oauth2/blob/master/dist/OAuth2.gs
You can set an additional parameter for constructing the authorization URL by using .setParam().
.setParam('resource', 'https://storage.azure.com/')
Situation:
I have a Google Sheets whose data I would like to access using URL and an API key, e.g.:
https://sheets.googleapis.com/v4/spreadsheets/{SHEETS-ID}/values/{RANGE}?key={API-KEY}
This works only when the Sheet is publicly available, i.e. "Anyone with the link can view". I would like not to allow link sharing. I've seen in Apps Script that it is possible to add access to a service account.
Question:
Is this also possible if you only have an API key and requests the data using a URL as above?
No, it's not possible to access private data only with an API key. As stated in the documentation :
If the request requires authorization (such as a request for an individual's private data), then the application must provide an OAuth 2.0 token with the request. The application may also provide the API key, but it doesn't have to.
Anyhow the Google Sheet API will make your life easier to build requests and retrieve private data.
I want to use from my android/ios app the autocomplete api. For this I need to call url like:
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=paris&key=<myapikey>
the problem is: What can make that someone else will not extract from my app my api key and use it for his own purpose ? It's important because at the end it's me who will be billed by google for the usage ...
Your intention is to call a Places API web service. Google Maps web services support only IP address restrictions.
You can check what type of restriction is supported by each API on the following page:
https://developers.google.com/maps/faq#keysystem
In order to protect an API key that is used with your sample request you should create an intermediate server and send your requests from this server. So your application should send request to intermediate server, intermediate server should send Places autocomplete request with protected API key to Google and pass response back to your app. In this case you can use an IP address of your intermediate server to protect unauthorized access with your API key.
I hope this helps!
What if you create and intermediate server and create a token for each single user, and also create a monitoring service which block suspicious behavior?
for example, a normal user would request x times/per day || hour || ...
Or
when a user runs application for the first time, application receives the [encrypted api + decryption key] and store them to a safe place like keychain(for iOS)
As I know, if you request directly to google-map-api there is always a way to sniffing packets.
I receive a 403 error in google maps API dashboard for the geocoding API after limiting the key to my domain. The geocoding works when the key is unrestricted. Currently I have the following as acceptable HTTP referrers:
https://website.com/*
https://www.website.com/*
This allows my basic javascript map and autocomplete forms to work on HTML pages. However, the geocoding is done through a python script that accesses website.com/markers (has no HTML page, just displays JSON data if you visit it). Is there a reason it will not work? The 403 error is what I see in the API dashboard, but I receive an internal server error message when visiting website.com/markers. When unrestricted, the dashboard shows response code 200 and I can see the correct JSON data. Therefore, I believe my code is not the issue.
Things I have tried:
Allowing “https://website.com/markers” as a referrer, as well as www. version of that, and http versions. Also used versions without http or https.
Changing to allow IP address of website (referrer not allowed error happens when I do this)
Double checking all references to API key in code. Code works in development and in production when unrestricted.
Double checked that all needed services are enabled in Google api console and not over quotas.
I have searched for this issue for hours and cannot find an answer, please go easy on me if I have overlooked something simple.
It sounds like you're trying to use the method of URL restriction intended for use with client-side web api's. In that case, the public URL of the site is used in the validation.
You want to use the IP address validation, intended for server-side calls.
The following is from https://developers.google.com/maps/faq#keysystem:
API Key: An API key is a unique identifier that you generate using the
Google API Console. API keys are generally used with the standard
APIs. Premium Plan customers1 typically can choose to use a client ID
or an API key. You can choose to use an API key without applying
restrictions (called a “generic API key”) or a key with restrictions
applied for greater security. APIs in any platform may use a generic
API key.
You can optionally add a restriction (for example, IP address) to the
API key. Once restricted, a key will only work on platforms that
support that type of restriction. Four types of API key restrictions
are available:
IP addresses (individual servers) - for use with the web service APIs.
HTTP referrers (web sites) - for use with the Web APIs.
Android app restriction (by package name and fingerprint) - for use with the Android APIs.
iOS app restriction (by iOS bundle identifier) - for use
with the iOS APIs.
You need a different key for the webservices. You can't apply both HTTP and IP restrictions on the same key. You need HTTP Restrictions on your Google Maps Javascript API v3 key and IP Restrictions on your web service key.
i tried to set up a simple map: http://pan-american.ch and keep getting the same error in the JS Console:
https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error
Your site URL to be authorized:
on this Domain http://map2.codedesign.ch the key works fine.
so my question is - where can i add Domains...
You want to setup the referrers to allow http://pan-american.ch.
See the Google Documentation on Setting up API keys:
Setting up API keys
If your client application does not use OAuth 2.0, then it must include an API key when it calls an API that's enabled within a Google Cloud Platform project. The application passes this key into all API requests as a key=API_key parameter.
To create your application's API key:
Go to the Cloud Platform Console.
From the projects list, select a project or create a new one.
If the API Manager page isn't already open, open the menu Gallery Menu and select API Manager.
On the left, choose Credentials.
Click Create credentials and then select API key.
Choose the type of key to use. (API key types are described in more detail in the following sections.) If you're unsure whether an API key is appropriate for the API you're calling, select Help me choose and follow the instructions to pick the right credentials.
Note: In addition to reading the instructions on this page, be sure to read Best practices for securely using API keys.
The API supports several types of API keys, including server keys, browser keys, iOS keys, and Android keys.
Browser keys
Create and use a Browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.