Could really use some help here. I have a GAE NodeJS app in the standard environment. Until a few days ago (09/23) it was running just fine, it would respond to requests as expected, etc.
Today, the app responds with 403's when I try to make any request to my appspot url. I'm 100% certain this is not a code issue, as if I deploy the same code to GAE in another project, it works fine. Furthermore, the only firewall rule is a wildcard to allow all traffic.
Edit: adding the only relevant-looking log entry I see from the project:
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "address#domain.com"
},
"requestMetadata": {
"callerIp": "x.x.x.x",
"requestAttributes": {
"time": "2021-09-23T15:04:05.198927Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "appengine.googleapis.com",
"methodName": "google.appengine.v1.Services.UpdateService",
"authorizationInfo": [
{
"resource": "apps/my-google-cloud-project-id/services/default",
"permission": "appengine.services.update",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "apps/my-google-cloud-project-id/services/default",
"serviceData": {
"#type": "type.googleapis.com/google.appengine.v1.AuditData",
"updateService": {
"request": {
"name": "apps/my-google-cloud-project-id/services/default",
"service": {
"networkSettings": {
"ingressTrafficAllowed": "INGRESS_TRAFFIC_ALLOWED_INTERNAL_AND_LB"
}
},
"updateMask": "networkSettings"
}
}
},
"resourceLocation": {
"currentLocations": [
"us-east1"
]
}
},
"insertId": "an-id",
"resource": {
"type": "gae_app",
"labels": {
"project_id": "my-google-cloud-project-id",
"zone": "",
"module_id": "default",
"version_id": ""
}
},
"timestamp": "2021-09-23T15:04:05.131761Z",
"severity": "NOTICE",
"logName": "projects/my-google-cloud-project-id/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "some-operation-uuid",
"producer": "appengine.googleapis.com/admin",
"first": true
},
"receiveTimestamp": "2021-09-23T15:04:05.495890906Z"
}
I don't recall making this change, and I'm not sure what the ingressTrafficAllowed value was before.
Somehow the ingress setting on the GAE service got changed. I believe that issue was fixed by going to GCP console > App Engine > Services > select affected service(s) -> Edit ingress setting from the top, and select the appropriate value.
I say I believe this fixed the issue as I was still getting 403's on my appspot url after doing this, and ultimately I ended up deleting and re-creating the project from scratch, which got everything working again. Clearly there was some misconfiguration somewhere in my project, but GCP does not make it easy to diagnose what the issue might be.
Related
I have a Flexible Sync app in MongoDB App Services (formerly MongoDB Realm).
The main model object is an Activity, which should be readable and writable by its owner, but also read-only by a supervisor.
These are the sync roles I have set up:
{
"rules": {
"Activity": [
{
"name": "owner_supervisor_activity_permission",
"applyWhen": {},
"read": {
"$or": [
{
"ownerID": "%%user.id"
},
{
"supervisorID": "%%user.id"
}
]
},
"write": {
"ownerID": "%%user.id"
}
}
]
},
"defaultRoles": [
{
"name": "owner-read-write",
"applyWhen": {},
"read": {
"ownerID": "%%user.id"
},
"write": {
"ownerID": "%%user.id"
}
}
]
}
Although sync seems to work just fine, I get the following error message in the logs for both roles:
Using sync incompatible role "owner_supervisor_activity_permission" for table "Activity". this role will default to deny all access. consider changing this role to be sync compatible (ProtocolErrorCode=201)
I do not know what to do here and I’m wondering if it could be a bug.
Do I need to set the per-collection rules? I thought sync roles overrode those.
Is it a matter of using the applyWhen field?
Thanks
I'am evaluating a Quarkus application on App Engine.
The application needs a Postgres DB on Cloud SQL, where I named the instance 'quarkus'.
But I'am stuck getting these access error:
Not authorized to access instance: addlogic-foodiefnf-1:quarkus
The serviceAccount:addlogic-foodiefnf-1#appspot.gserviceaccount.com has these roles:
Cloud SQL Admin
Cloud SQL Service Agent
Editor
What I'am missing?
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "Not authorized to access instance: addlogic-foodiefnf-1:quarkus "
},
"authenticationInfo": {
"principalEmail": "addlogic-foodiefnf-1#appspot.gserviceaccount.com",
"serviceAccountDelegationInfo": [
{
"firstPartyPrincipal": {
"principalEmail": "app-engine-appserver#prod.google.com"
}
}
],
"principalSubject": "serviceAccount:addlogic-foodiefnf-1#appspot.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "107.178.230.54",
"requestAttributes": {
"time": "2021-09-27T06:18:33.283490Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.connect",
"authorizationInfo": [
{
"resource": "instances/quarkus ",
"permission": "cloudsql.instances.connect",
"granted": true,
"resourceAttributes": {
"service": "sqladmin.googleapis.com",
"name": "projects/addlogic-foodiefnf-1/instances/quarkus ",
"type": "sqladmin.googleapis.com/Instance"
}
}
],
"resourceName": "instances/quarkus ",
"request": {
"#type": "type.googleapis.com/google.cloud.sql.v1beta4.SqlInstancesCreateEphemeralCertRequest",
"instance": "europe-west3~quarkus ",
"project": "addlogic-foodiefnf-1",
"body": {}
},
"response": {}
},
"insertId": "-il5zyxe1b1rn",
"resource": {
"type": "cloudsql_database",
"labels": {
"project_id": "addlogic-foodiefnf-1",
"database_id": "addlogic-foodiefnf-1:quarkus ",
"region": "europe-west3"
}
},
"timestamp": "2021-09-27T06:18:33.270158Z",
"severity": "ERROR",
"logName": "projects/addlogic-foodiefnf-1/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2021-09-27T06:18:33.799357464Z"
}
Background story:
I've set up my quarkus application regarding to
https://quarkus.io/guides/deploying-to-google-cloud
but class 'PostgreSQL10Dialect'failed to load:
See Why is class PostgreSQL10Dialect not found on Quarkus in Google App Engine java11?
At this current post here I like to learn how to debug the access error at Google App Engine to Cloud SQL.
Cloud SQL instance is set up with public IP. Is there anymore setup needed at Cloud SQL instance?
As said above, service account at standard app engine has role 'Cloud SQL Admin' as required by
https://cloud.google.com/sql/docs/postgres/connect-app-engine-standard#java
Any help appreciated.
I understand that using ´quarkus.datasource.db-kind=postgresql´ triggers hibernate to do auto configuration. And therefore the connection can not be established.
I have to use quarkus.datasource.db-kind=other to prevent Quarkus auto-configuration and access problems.
(As this solves this question here, my issue at Why is class PostgreSQL10Dialect not found on Quarkus in Google App Engine java11? is still open.)
I'm receiving the error when deploying the flex version .net core app to GCP.
I've additionally tested via gcloud app deploy and getting the exact same issue. In the logs there are multiple errors all with audit_log, method: "google.appengine.v1.Versions.CreateVersion", with status { code: 13 }, added below.
There doesn't seem to be any other logs to help investigation.
Any advice please?
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 13
},
"authenticationInfo": {
"principalEmail": "xxxx.iam.gserviceaccount.com",
"serviceAccountKeyName": "//iam.googleapis.com/projects/xxxxxx/serviceAccounts/xxxx.iam.gserviceaccount.com/keys/xxxxxxxxxxxx"
},
"requestMetadata": {
"callerIp": "xx.xx.xx.xx",
"requestAttributes": {
"time": "2021-01-21T15:32:15.695398Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "appengine.googleapis.com",
"methodName": "google.appengine.v1.Versions.CreateVersion",
"authorizationInfo": [
{
"resource": "apps/xxxxxxxx/services/default/versions/XYZ",
"permission": "appengine.versions.create",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "apps/xxxxxxxx/services/default/versions/XYZ",
"serviceData": {
"#type": "type.googleapis.com/google.appengine.v1.AuditData",
"createVersion": {
"request": {
"parent": "apps/xxxxxxxx/services/default",
"version": {
"id": "XYZ",
"automaticScaling": {
....
},
"resources": {
....
},
"runtime": "aspnetcore",
"env": "flex",
"servingStatus": "SERVING",
"envVariables": {
"GCLOUD_PROJECT_NUMBER": "xxxxxxx"
},
"readinessCheck": {
....
},
"livenessCheck": {
....
}
}
}
}
},
"resourceLocation": {
"currentLocations": [
....
]
}
},
"insertId": "crndlud361i",
"resource": {
"type": "gae_app",
"labels": {
....
}
},
"timestamp": "2021-01-21T15:32:15.695398Z",
"severity": "ERROR",
"logName": "projects/xxxxxxxx/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2021-01-21T15:32:15.683297004Z"
}
Raised a ticket with Google to advise on the issue. I'm not sure the guys got to the bottom of it, however what sorted it in the end was this recommendation:
Can you try to disable and enable again App Engine Admin API in
Console->Api & Services section and try to deploy again? If it doesn't
help try to also disable/enable Google App Engine Flexible Environment API and try again.
Update: G guys got to the bottom of it. It was a permission removed for a App Engine Flexible Environment Service Agent role.
Google engineers confirmed they will look into improving an error details.
I tried deploying cosmosDB and when I first create it I get this error -
"Request rate is large. More Request Units may be needed, so no changes were made"
After redeploying it works.
But the initial creation doesn't.
I extended the throughput to 50000 (autoscale)
and 10000 with fixed size.
Is there another option to extend the RUs?
"type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
"apiVersion": "2020-03-01",
"name": "
"dependsOn":
],
"properties": {
"resource": {
"id": "subscriptions",
"indexingPolicy": {
"indexingMode": "consistent",
"automatic": true,
"includedPaths": [
{
"path": "/*"
}
],
"excludedPaths": [
{
"path": "/\"_etag\"/?"
}
],
"spatialIndexes": [
{
"path": "/*",
"types": ["Point", "LineString", "Polygon", "MultiPolygon"]
}
]
},
"partitionKey": {
"paths": ["/partitionKey"],
"kind": "Hash"
},
"uniqueKeyPolicy": {
"uniqueKeys": []
},
"conflictResolutionPolicy": {
"mode": "LastWriterWins",
"conflictResolutionPath": "/_ts"
}
},
"options": {
"autoscaleSettings": {
"maxThroughput": 50000
}
}
}
The error message indicates that there was a large number of requests hitting the master partition for your account. This can be caused by other clients querying the database resource to list containers or querying containers to get it's properties. It can also happen when you are deploying a large number of Cosmos resources at the same time. This is mostly a transient issue and is hard to reproduce.
Your arm template for this container looks correct. I'm guessing you've purposely removed the name and depends on parameters.
I would update the api-version to 2020-04-01 however. There are issues with 2020-03-01 with autoscale and that api-version is going to be deprecated in the future.
Hello i want to configure my PWA app.
My app works fine except dynamic content api. When online it working fine but when i go offline i get status 503 from serviceWorker.
My config file:
ngsw-manifest.json
{
"dynamic": {
"group": [{
"name": "api",
"urls": {
"https:url": {
"match": "prefix"
}
},
"cache": {
"optimizeFor": "freshness",
"maxAgeMs": 3600000,
"maxEntries": 20,
"strategy": "lru"
}
}]
},
"external": {
"urls": [{
"url": "https://fonts.googleapis.com/icon?family=Material+Icons"
}]
}
}
If you are hosting your app on Firebase you might want to look into using the new Firestore database. It's is designed for offline data. Firebase had issues with PWAs in Offline Mode. Also, the core of PWAs (ServiceWorker) has been rewritten in Angular 5.