When interacting with the Google Vault API and specifically updating or creating Holds with accounts, I started getting a 400 Error with the message: "Users are not licensed". I have seen a similar error, specifically around Google Voice ("Users are not licensed for Voice"), but never for all services (Mail, Drive, Groups). I can add a specific use case to handle this error, but I have been unable to reproduce with an Google account that I control. How does a account get into a state where they are unable to be added to any holds like this?
Related
Non-technical person here 🙋‍♂️
I'm having an issue where (using the Oauth 2.0 Playground) I authorize an internal user's GMB account and configure real-time notifications to be sent to our GCP topic. Every few days or so, notifications stop getting sent to our topic and when I check the notification settings for that account, they have been subscribed to an unknown GCP topic. I can reconfigure the notifications settings again, but every few days they are reconfigured to the unknown GCP topic.
It's possible some other app is overwritting my changes periodically, but I am having trouble figuring out where they're coming from.
Is there a log I can review to know where the request to change the notification settings is coming from?
When using the OAuth 2.0 Playground to configure settings, do they "expire" at some point? If so, is how do I prevent that from happening?
Thanks in advance for your help!
You can start looking into when and who created the unknown GCP topics by checking your Cloud Logging for created topics. You can do this by:
Open your Google Cloud Console
Open "Logging"
There should be a "Query" tab and select it.
Input protoPayload.methodName="google.pubsub.v1.Publisher.CreateTopic" and click "Run Query". You can check this reference if you'd like to see other logs related to Pub/Sub.
Click "LAST 1 HOUR" to adjust the time parameters of your log query. (Example: adjust it to a whole month to query all Created topics within a month)
Click the ">" beside the result and expand the log.
There are lots of info like the created topic name, what email authenticated this request, etc. In your case you should look out for field authenticationInfo for you to check who invoked the request:
authenticationInfo: {
principalEmail: "email-used-to-create-the-topic#example.com"
principalSubject: "user:email-used-to-create-the-topic#example.com"
}
NOTE: For testing purposes I blacked out my project-id and email for this example. Also the topic I created is log-this-topic and the email in the log mine since I was the one that created the topic.
OAuth have set rules for expiration, you can check it on Refresh Token expiration.
My company owns several (verified) facilities and using my company's email i can see those locations (business.google.com).
Now, my company would like to fetch the reviews in each location and present it in our company website. Before we're using the Google Place API but since it only returns the latest 5 reviews we opt to using Google My Business API to retrieve a location's complete reviews. We'd like our backend (PHP) to retrieve the reviews so using the same email I created a service account (console.developers.google.com/apis/credentials) because we don't need the end user to allow/interact anything when browsing our website.
Using postman (with my signed JWT) I have managed to get a valid access token
...that I use to retrieve the lists of accounts (mybusinessaccountmanagement.googleapis.com/v1/accounts) I could see the service account itself alone in the response.
Now, I tried calling the account locations api (mybusiness.googleapis.com/v4/accounts/{MY_ACCOUNT_ID_HERE}/locations) but it only returns and empty object response.
Can someone help me resolve this issue. Why my service account can't see the verified locations under my company's email. Is this even possible? Thank you.
Even that this is an older question - I run into the same issue calling the new Google My Business Information v1 API (getting empty results) using a service account.
It seems, that it is not recommended to use Service Accounts, I found this support article on Google: https://support.google.com/business/thread/8281160/cannot-get-access-to-gmb-locations-with-service-account-with-nodejs?hl=en
The "official" recommendation is to use OAuth.
But we finally made it using Service Account. The following steps are necessary to resolve it (at least for us it is working now):
Add a project in Google Cloud Platform
Add and enable the Account Management and Business Information API's.
Add the service account and generate a key (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
Make the Business Profile API request (you need the approval made by Google to be able to make requests against the two API's; otherwise you may run into quota exceeds as "Request per minute" is set to 0 by default). Important: It may take up to 2 weeks until, but we received the approval within about 5 days
Enable domain-wide delegation for the service account using the scope "https://www.googleapis.com/auth/business.manage". More about domain-wide-delegation: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
Add a user identity in GCP. This user also needs to be added in Google My Business for editing locations. When creating your ServiceAccountCredential object, impersonate this user.
Security concerns:
Domain-wide-delegation enables that everyone knowing/having the credentials of the service account could impersonate any person (identity) from withing GCP. At least in this case only for Business Profile API, but anyway, keep this in mind.
Also using private keys for authenticating the service account is not recommended, you should be aware to regularly change / create a new private key or there would be a solution with Identity Workload.
Hope this helps everyone facing the challenge with GMB / GCP / service accounts :-)
I am creating a booking system with server to server auth with google calendar API.
Sometimes when I create events with the API I get this :
{
error: {
errors: [
{
domain: "usageLimits",
reason: "dailyLimitExceededUnreg",
message: "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
extendedHelp: "https://code.google.com/apis/console"
}
],
code: 403,
message: "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
}
But otherwise the API says the event has been created, but there is no event created in the calendar...
In all other cases event is created successfully, but this leads to missing events sometimes.
Where I can remove this limit, so all events that i create with the Api to be saved to google calendar?
It looks like there is an issue with Service Accounts inviting people to Calendar Events.
In case you own a GSuite domain, a current workaround would be performing Domain-Wide delegation. According to the documentation:
Go to your G Suite domain’s Admin console.
Select Security from the list of controls. If you don't see Security
listed, select More controls from the gray bar at the bottom of the
page, then select Security from the list of controls. If you can't
see the controls, make sure you're signed in as an administrator for
the domain.
Select Show more and then Advanced settings from the list of
options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID. You
can find your service account's client ID in the Service accounts
page.
In the One or More API Scopes field enter the list of scopes that
your application should be granted access to. For example, if your
application needs domain-wide access to the Google Drive API and the
Google Calendar API, enter: https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/calendar.
Click Authorize
Regarding the existing issue, you can click on the star next to the issue number to give more priority to the bug and to receive email updates.
We use the Microsoft Graph .NET SDK to authenticate users who use O365 and to work with the users' files and folders in OneDrive and SharePoint.
Today, some of our users started receiving this error message: "Unable to retrieve tenant service info". The error code is: "BadRequest", which doesn't seem to correspond to the message and thus might just be a catch-all error code. Except for the mentioned error code and message, no other information was provided in the error response from Graph.
After some debugging, I could verify that this problem was not related to OAuth or the users' access tokens, as the users are still able to authenticate and refresh their tokens via the API. The error is only thrown when our server attempts to access or modify the users' files/folders in either OneDrive or SharePoint.
We had been using the same code for a few months, and only started receiving this error today. I've tried looking up the error message in documentation, articles, blog posts, etc. but couldn't find anything.
Any help or suggestion would be greatly appreciated. Thank you in advance.
There was an incident/regression that caused failures when reading tenant service info between January 19 and January 21. This should no longer be happening.
I'm currently trying to create a new App Engine project using the endpoint outlined here:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/projects/create
The actual endpoint is https://cloudresourcemanager.googleapis.com/v1beta1/projects
However, when I authenticate via oauth and submit a POST request, I get the following payload:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I have full access to the engine via my Owner role, so I'm not sure what the issue here is?
Does anyone have any ideas?
Many Thanks
you need to make sure you have service account for your application , and you need to make sure that the API is enabled .
On the Cloud Resource Manager page there is a note stating (emphasis mine):
Programmatically create, manage, and delete projects that belong to
your organization. You can also undelete or recover projects that you
didn’t mean to delete. Access to Cloud Resource Manager project
creation is currently invite-only. For an invitation, contact our
sales team.
Did you obtain such invitation? If not then the Owner role you're mentioning is likely not the right one needed for the Cloud Resource Manager operation.