Hi When I try to deploy profile, I am getting this error
[Profile Analytics Cloud Integration User] Unknown user permission: ViewForecastingPredictive
Can some one help me understand what this error is, and how to resolve it
Related
This morning I made a PR which triggered a Cloud Build for my staging enviroment but failed to deploy the results to GAE.
The error was as follows:
ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '[redacted]#appspot.gserviceaccount.com'
Step #4: - '#type': type.googleapis.com/google.rpc.ResourceInfo
Step #4: description: You do not have permission to act as this service account.
Step #4: resourceName: [redacted]#appspot.gserviceaccount.com
Step #4: resourceType: serviceAccount
When I look at https://console.cloud.google.com/cloud-build/settings/service-account
Cloud build has the follow service account permissions ENABLED:
App Engine Admin
Cloud KMS
Checking https://console.cloud.google.com/iam-admin/iam
I can see that the cloudbuild service account has the following roles:
App Engine Admin
App Engine Deployer
Cloud Build Service Account
Cloud KMS CryptoKey Decrypter
According to the provided error, it seems like you need to add some delegation to your service account. This means that the service account can act on behalf of another service account. Do not add this permission on the project level, since it poses a security risk! Below you can find an example of how to add roles/iam.serviceAccountUser on another service account.
PROJECT_ID=xxxxxx
PROJECT_NUMBER=$(gcloud projects list \
--format="value(projectNumber)" \
--filter="projectId=${PROJECT_ID}")
gcloud iam service-accounts add-iam-policy-binding \
${PROJECT_ID}#appspot.gserviceaccount.com \
--member=serviceAccount:${PROJECT_NUMBER}#cloudbuild.gserviceaccount.com \
--role=roles/iam.serviceAccountUser \
--project=${PROJECT_ID}
To summarize, the service account must have the iam.serviceAccounts.actAs permission, which is included in the roles/iam.serviceAccountUser role. Updated Google documentation can be found here.
I had the same issue. For me I had to add the Service Account User role to my circle ci user in IAM. Maybe you can do the same for cloudbuild.
First we go to the permission manager and select the project that we want to add permissions.; https://console.cloud.google.com/iam-admin/
I grant Service Account User permission to my CI/CD service account. That works.
Screenshot of IAM
Screenshot of my Gitlab CI/CD configuration
To resolve this issue, you can add Service Account User IAM permission to your CI/CD pipeline service account.
Eg. If you're using Cloud Build, then add Service Account User role to your {project-number}#cloudbuild.gserviceaccount.com service account
It looks as though this question is answered with the .ActAs permission being added to the Gitlab or CircleCI account.
I haven't had occasion to test yet - if anyone else has and can post details - please do so;
This is the proposed answer from what I can gather:
How do you enable "iam.serviceAccounts.actAs" permissions on a sevice account?
Nebulastic has a very nice answer above but the {PROJECT_ID} would need to be swapped with the Gitlab or CircleCI account name, not the project named account.
We are trying to call a web api hosted in azure app service from SPFX react webpart using aadhttpclientfactory.
We are receiving the below error.
Error: Error - Type : interaction_required - Description : AADSTS65001: The user or administrator has not consented to use the application with ID <> named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.
Please suggest the process to resolve the above issue.
Thanks in advance.
You need to consent to use the application. Go to azure portal->Azure Active Directory->App registrations->find your application->Api permissions->click Grant admin consent button(remember to login with the admin account)
If the permissions does't require admin consent, you can also use individual user consent which doesn't need admin permission.
I tried to deploy my app to google app engine. My IAM role is "owner" so I think I should have full access to any gcloud API.
Following is the error:
ERROR: (gcloud.app.deploy) Error Response: [13] Unable to get quota for "snap-media", "us-central1". Error: <HttpError 403 when requesting https://www.googleapis.com/compute/v1/projects/snap-media/regions/us-central1?alt=json returned "Required 'compute.regions.get' permission for 'projects/snap-media/regions/us-central1'">
Not the Google APIs service account.. All GAE has their own default service account. you need to give that permission. Search the following service account in your IAM page.. And you need to give this service account the permission.
App Engine default service account
yourprojectName#appspot.gserviceaccount.com
In the AppEngine console I have enabled datastore administration. I also enabled the remote API. However, when I try to access it I see the following message:
Error: Forbidden
Your client does not have permission to get URL
Many people seem to have a 400 (Not found) or 500 (Error), but none of the fixes for these issues seem to fix this permission problem
The permissions issue was caused by having login for my webapp restricted to one domain, while I was accessing the AppEngine administration from another domain.
As an example, AppEngine administration was being performed from support#my_developer_domain.com, whereas all the logins for the app itself were in the form xyz#client_company_domain.com.
The solution was to get the client to assign me an email address at their own domain (andy#client_company_domain.com) then invite that account to be a developer for the web app. After accepting the invitation and logging in with this account, the datastore admin page was visible.
I have an application deployed to Google App Engine.
The application relies on App Engine User API to login and signup. However I noticed that if user signup using hotmail account, after verify the account through OpenID option. App Engine tries to direct the browser to the following URL: https://appengine.google.com/_ah/conflogin?continue=https://myappid.appspot.com/login.do, where /login.do is used in UserService.createLoginURL("/login.do") to create the login URL.
At this step I am getting 500 Server Error as the following. When I check my server log, I couldn't find any request to login.do. Please help.
Error: Server Error
The server encountered an error and could not complete your request.
If the problem persists, please report your problem and mention this error message and the query that caused it.
I got this error when logging in 4 accounts.
It works on logging in 3 accounts.
We can not control the number of accounts a user login at the same time.
I think it is a critical bug in the implementation of Google.
Conclusion, Users API is not usable. The only way is to use OAuth.