I want to deploy from bitbucket to google app engine using Open ID Connect (OIDC) authentication method (not key file).
I've setup Open ID Connect in my bitbucket repository. It shows
Identity provider URL
Audience
Example paylode
Unique identifiers
I've setup a Service Account in GCP that has App Engine Deployer role.
I've setup Workload Identity Federation with a pool and a provider. The Issuer(URL) of provider is set to Identity provider URL of bitbucket OIDC.
I've granted the service account access to the pool.
Here is my deployment step in bitbucket-pipelines.yml:
- step:
name: Deploy to Production
image: google/cloud-sdk:latest
oidc: true
script:
- echo $BITBUCKET_STEP_OIDC_TOKEN > identity-token
- gcloud auth login --cred-file clientLibraryConfig.json --update-adc
- gcloud app deploy
The clientLibraryConfig.json is downloaded from GCP:
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/837282586571/locations/global/workloadIdentityPools/fakfake-com/providers/bitbucket-fakfake-com",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/bitbucket#fakfake-com.iam.gserviceaccount.com:generateAccessToken",
"credential_source": {
"file": "identity-token",
"format": {
"type": "text"
}
}
}
Here is the output from pipeline:
echo $BITBUCKET_STEP_OIDC_TOKEN > identity-token
gcloud auth login --cred-file clientLibraryConfig.json --update-adc
+ gcloud auth login --cred-file ../../clientLibraryConfig.json --update-adc
Application default credentials (ADC) were updated.
Authenticated with external account credentials for: [bitbucket#fakfake-com.iam.gserviceaccount.com].
Your current project is [fakfake-com]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
gcloud app deploy
+ gcloud app deploy ../../app.yaml
ERROR: gcloud crashed (OAuthError): ('Error code invalid_grant: The audience in JWT does not match the expected values.', '{"error":"invalid_grant","error_description":"The audience in JWT does not match the expected values."}')
If you would like to report this issue, please run the following command:
gcloud feedback
To check gcloud for common problems, please run the following command:
gcloud info --run-diagnostics
Build teardown
How can I fix the error of gcloud app deploy?
Related
I'm following this link below on how to deploy React app to App Service Azure.
How to deploy React app to App service Azure
However, I couldn't see my application page but the Azure App service default page. "Hey, Node developers!"
Here, I have attached screenshots about the deployment condition and logs. [App service 1
Please advise.
Update:
Another method:
The premise of this method is you have Node.js env and have installed npm tools.
1.add a file name index.js under the site/wwwroot.
index.js:
var express = require('express');
var server = express();
var options = {
index: 'index.html' //Fill path here.
};
server.use('/', express.static('/home/site/wwwroot', options));
server.listen(process.env.PORT);
2.install express:
run this command under the wwwroot directory,
npm install -save express
3.restart your app service and wait for minutes.
Original Answer:
First of all, you can follow this link to know how to deploy your react app to azure.
https://medium.com/microsoftazure/deploying-create-react-app-as-a-static-site-on-azure-dd1330b215a5
All of the files will be upload to D:/site/wwwroot, the physical folder.
Default page setting of the web app based on Linux os is very similar.
For example, I have a file named index.php under public_html folder and I want to set it as the default page of my web app.
You need to create a file named .htaccess under the wwwroot.
This is the content of the .htaccess file:
DirectoryIndex public_html/index.php
Then, Success set the default page:
I've an issue with the deployment of my react app on Azure web app service.
I've followed this guide: https://developer.okta.com/blog/2018/07/10/build-a-basic-crud-app-with-node-and-react in local environment it works, but when I've tried to deploy on Azure app service the login with okta doesn't work.
So let me explain. I've uploaded node express server on Azure node app service. The react frontend i've uploaded the "npm run build" result in an other Azure app service.
I've added the Login redirect URI and trusted origins (cors) on okta admin panel.
But during the login the online version of my app replay this issue: "Not Found The requested URL /implicit/callback was not found on this server." and the URL is " https://supportexor.azurewebsites.net/implicit/callback*id_token=qwerqwerqwerqwerqwerqwer" .
In App.js
<Route path="/implicit/callback" component={ImplicitCallback} />
In index.js
const oktaConfig = {
issuer: ...,
redirect_uri: .../implicit/callback,
client_id: ...,
};
I would like to see the "SecureRoute" after the login into my app.
I am having an issue deploying a Node project to Google App Engine when using a service account. I am getting a 403 error.
{
"error": {
"code": 403,
"message": "Operation not allowed",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ResourceInfo",
"resourceType": "gae.api",
"description": "The \"appengine.applications.get\" permission is required."
}
]
}
}
I have given my service account the App Engine Admin and Storage Object Admin roles. I am using the downloaded JSON key file to deploy.
I am then running these two terminal commands:
gcloud auth activate-service-account --key-file appEngineAuth.json
gcloud --quiet --verbosity=debug app deploy app.yaml --promote --log-http
This is my app.yaml file:
runtime: nodejs
env: flex
If I run gcloud auth list I see my service account user selected. I am able to deploy if I do gcloud init and then go through the process of using my Google account but I can't do that from my CI server.
I have deleted and recreated my service account a couple of times and made absolutely certain I am using the correct key file. I even tried giving my service account the Owner role but that didn't work.
This turned out to be an app engine bug. Support took about a week to fix the issue. As a temporary work around I had to create a new application and use it. This bug only affected one of my six applications.
Google case #: Case 15238823
Could someone help me access Big Query from an App Engine application ?
I have completed the following steps -
Created an App Engine project.
Installed google-api-client, oauth2client dependencies (etc) into /lib.
Enabled the Big Query API for the App Engine project via the cloud console.
Created some 'Application Default Credentials' (a 'Service Account Key') [JSON] and saved it/them to the root of the App Engine application.
Created a 'Big Query Service Resource' as per the following -
def get_bigquery_service():
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
credentials=GoogleCredentials.get_application_default()
bigquery_service=build('bigquery', 'v2', credentials=credentials)
return bigquery_service
Verified that the resource exists -
<googleapiclient.discovery.Resource object at 0x7fe758496090>
Tried to query the resource with the following (ProjectId is the short name of the App Engine application) -
bigquery=get_bigquery_service()
bigquery.tables().list(projectId=#{ProjectId},
datasetId=#{DatasetId}).execute()
Returns the following -
<HttpError 401 when requesting https://www.googleapis.com/bigquery/v2/projects/#{ProjectId}/datasets/#{DatasetId}/tables?alt=json returned "Invalid Credentials">
Any ideas as to steps I might have wrong or be missing here ? The whole auth process seems a nightmare, quite at odds with the App Engine/PaaS ease-of-use ethos :-(
Thank you.
OK so despite being a Google Cloud fan in general, this is definitely the worst thing I have been unfortunate enough to have to work on in a while. Poor/inconsistent/nonexistent documentation, complexity, bugs etc. Avoid if you can!
1) Ensure your App Engine 'Default Service Account' exists
https://console.cloud.google.com/apis/dashboard?project=XXX&duration=PTH1
You get the option to create the Default Service Account only if it doesn't already exist. If you've deleted it by accident you will need a new project; you can't recreate it.
How to recover Google App Engine's "default service account"
You should probably create the default set of JSON credentials, but you won't need to include them as part of your project.
You shouldn't need to create any other Service Accounts, for Big Query or otherwise.
2) Install google-api-python-client and apply fix
pip install -t lib google-api-python-client
Assuming this installs oath2client 3.0.x, then on testing you'll get the following complaint:
File "~/oauth2client/client.py", line 1392, in _get_well_known_file
default_config_dir = os.path.join(os.path.expanduser('~'),
File "/usr/lib/python2.7/posixpath.py", line 268, in expanduser
import pwd
File "~/google_appengine-1.9.40/google/appengine/tools/devappserver2/python/sandbox.py", line 963, in load_module
raise ImportError('No module named %s' % fullname)
ImportError: No module named pwd
which you can fix by changing ~/oauth2client/client.py [line 1392] from:
os.path.expanduser('~')
to:
os.env("HOME")
and adding the following to app.yaml:
env_variables:
HOME: '/tmp'
Ugly but works.
3) Download GCloud SDK and login from console
https://cloud.google.com/sdk/
gcloud auth login
The issue here is that App Engine's dev_appserver.py doesn't include any Big Query replication (natch); so when you're interacting with Big Query tables it's the production data you're playing with; you need to login to get access.
Obvious in retrospect, but poorly documented.
4) Enable Big Query API in App Engine console; create a Big Query ProjectID
https://console.cloud.google.com/apis/dashboard?project=XXX&duration=PTH1
https://bigquery.cloud.google.com/welcome/XXX
5) Test
from oauth2client.client import GoogleCredentials
credentials=GoogleCredentials.get_application_default()
from googleapiclient.discovery import build
bigquery=build('bigquery', 'v2', credentials=credentials)
print bigquery.datasets().list(projectId=#{ProjectId}).execute()
[or similar]
Good luck!
I am making my first Web App using Generator Angular Fullstack. I went through the project initialization here: https://github.com/DaftMonk/generator-angular-fullstack
During initialization I set up oAuth for the following: Facebook, Google+, Twitter
I am using Openshift as well, and after initializing the project... I used the steps to add it to openshift. This included setting up environment variables for RHC for Facebook, Google+ and Twitter authentication. I added these as well.
However, with my new app... I cannot create a new account with Facebook, Google+ or Twitter.
When I create new account these are the errors I get:
Facebook:
Invalid App ID: id
Google+:
401. That’s an error.
Error: invalid_client
The OAuth client was not found.
Request Details
scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
response_type=code
redirect_uri=http://site.rhcloud.com/auth/google/callback
client_id=id
That’s all we know.
Twitter:
Internal Server Error
I haven't done much besides go through the tutorial so far. But I feel I missed something. Any help on this topic would be grea.t Thanks :)
Well, first of all you have to configure your clientIDs, clientSecrets and callBackURLs. These you will need to find on each oAuth provider's developer platform page. i.e. for Facebook this would be: https://developers.facebook.com/apps/
These can be placed in the local.env.js file (a sample is included, like this:
module.exports = {
DOMAIN: 'http://localhost:9000',
SESSION_SECRET: "xxxxxxxxxxxxx",
FACEBOOK_ID: 'xxxxxxx',
FACEBOOK_SECRET: 'xxxxxxx',
TWITTER_ID: 'xxxxxxx',
TWITTER_SECRET: 'xxxxxx',
GOOGLE_ID: 'xxxxxxx',
GOOGLE_SECRET: 'xxxxxxx',
.....
};
When deploying to Heroku don't forget to set the DOMAIN config variable with http/https prefix when using Google+ sign-in.
heroku config:set DOMAIN=http://<your app name>.herokuapp.com
Otherwise you will get a redirect_uri_mismatch. If this ends with an internal server error you probably need to enable the Google+ API in the Google developer console.
If you have obtained your provided ID and SECRET keys and you are still having difficulty with OpenShift as I did ... I found setting environment variables for the application did the trick for me.
Google for example:
rhc set-env -a GOOGLE_ID=
rhc set-env -a GOODLE_SECRET=
The module exports in local.env.js worked fine for me when I was developing locally but didn't when I pushed my app to OpenShift via grunt buildcontrol