So I created my first app engine and I think I deleted wrong service account. I was able to recover it following ideas here.
However I still can't redeploy app engine (or deploy any new engine in the project). Here is the error I'm getting. As I said, I managed to run projects.serviceAccounts.undelete endpoint but it doesn't help. Any idea what could be done to get this working again?
This may be due to network connectivity issues. Please check your network settings, and the status of the service you are trying to reach.
ERROR: (gcloud.app.deploy) HttpError accessing <https://appengine.googleapis.com/v1/apps/{project}/services/orch/versions?alt=json>: response: <{'vary': 'Origin, X-Origin, Referer', 'c
ontent-type': 'application/json; charset=UTF-8', 'date': 'Mon, 17 May 2021 19:47:03 GMT', 'server': 'ESF', 'cache-control': 'private', 'x-xss-protection': '0', 'x-frame-options': 'SAMEORI
GIN', 'x-content-type-options': 'nosniff', 'alt-svc': 'h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
,quic=":443"; ma=2592000; v="46,43"', 'transfer-encoding': 'chunked', 'status': '500', 'content-length': '147', '-content-encoding': 'gzip'}>, content <{
"error": {
"code": 500,
"message": "AppEngine service account cannot be generated for p~{project}.",
"status": "INTERNAL"
}
}
edit 1:
I went to the source code of app engine and under the debugger there is info:
Please fix the following issue and try again:
App Engine service account
An error has occurred while adding the App Engine default service account. Visit this page and manually add the <project-name>#appspot.gserviceaccount.com account with editor role.
however when I try to add it I get
Email addresses and domains must be associated with an active Google Account, Google Workspace account, or Cloud Identity account.
I see that you have inadvertently deleted the default service account,this could cause the products which rely on App Engine (including Cloud Functions and Cloud Scheduler) to not work as expected, as you are experiencing now.
Please follow the below steps if 30 days has not elapsed since deleting the account:
My best recommendation is that you deploy your resources in a different project to work around this issue.
However if there is significant investment made into deploying the account you can reach out to GOOGLE CLOUD PLATFORM SUPPORT by using the following link[1], as depending upon the severity or type of your deployment ,there could be changes made to undelete it completely. This process can be done upto 30 days after deletion.
Incase 30 days have elapsed since the deletion of the account, Unfortunately it is not possible to recover the account.
[1] https://cloud.google.com/contact
[2]https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting
Related
I have created custom policies with SSO and account migration (you can view them on GitHub here, Note: I removed/edited values for security reasons). I want users to be able to sign in with a social provider OR local account for the first time. I will then migrate their account from the legacy identity provider to AAD B2C. The following goes wrong at the moment though.
The biggest problem is when the account is migrated and the user can sign in, then when trying to link social accounts, I get the following error.
AADB2C90051: No suitable claims providers were found.
Correlation ID: 4491cd4a-2f98-4a86-8d65-da3f7f26e890
Timestamp: 2022-11-20 10:38:05Z
The weird thing is, if I first sign-in using Google or Facebook (which then migrates the account) then sign-in with Microsoft or the local account, it will work. But when first signing in with either Microsoft or a local account, I get the error.
I've seen this and other posts but cannot find what I am missing. I know the policies are very big, so to start, look in CUSTOM_USERJOURNEY.xml for ProvisionOrSignInNewSocialAccount on GitHub.
By default, the hasPassword property doesn't exist by for existing local B2C user profiles. It is introduced by the linking Custom Policy. You will need to manually (or by script) add value true for that property, and it will start working.
You can use Graph API to add value, so basically PATCH to user endpoint:
PATCH /v1.0/users/12bda93c-f782-431c-b962-52c5304c0668 HTTP/1.1
Host: graph.microsoft.com
Content-Type: application/json
Authorization: Bearer eyJ0...
{
"extension_67a963aa6ce74511923b85511f0f8dad_hasPassword" : true
}
See here for full discussion: https://bytemeta.vip/repo/azure-ad-b2c/samples/issues/430
Slightly related to this question, but scenario is different: AAD-FindLocalAccountWithSocialEmail produces No suitable claims providers were found
I'm trying to implement checking availability for specific user (actually a room) in O365 calendar. I'm using Graph API as it's recommended by Microsoft.
My first approach was using POST on https://graph.microsoft.com/v1.0/me/findMeetingTimes with the message body prepared according to template given in Graph API Explorer. On the API Explorer everything seems to work fine but when I try to run exactly the same request with my applications token I receive 403:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "b130177d-e138-4cc7-8e72-5d3529a9dc24",
"date": "2017-03-21T08:47:10"
}
}
}
I checked the app's delegated permissions in AAD and they seem to be fine. For Microsoft Graph those are granted:
Calendars.ReadWrite.Shared
Calendars.Read.Shared
Calendars.ReadWrite
Calendars.Read
I get exactly the same response (403) when I try to simply list user's events: https://graph.microsoft.com/v1.0/users//events In Graph API Explorer 500 is returned.
I found the following bug description: https://github.com/microsoftgraph/microsoft-graph-docs/issues/559 (and probably this one too) Is it related with the issues above?
Any clue what I might be doing wrong?
Is there any other way to achieve the same using different endpoint or API assuming that I still want to use oAuth for authorization?
I will be grateful for any hint
Update: Outlook Calendar API seems to work. Still appreciate any ideas why Graph API doesn't?
The FindMeetingAPI needs A work or a school account . If you are logging in using your personal email ID , you might not be able to login. Moreover , you need to set permissions to Calendars.Read Calendars.Read.All Calendars.ReadWrite User.Read"
We would like to automatically create a project ID and install our ULAPPH Cloud Desktop application using the App Engine Admin API (REST) and Golang.
https://cloud.google.com/appengine/docs/admin-api/?hl=en_US&_ga=1.265860687.1935695756.1490699302
https://ulapph-public-1.appspot.com/articles?TYPE=ARTICLE&DOC_ID=3&SID=TDSARTL-3
We were able to get a token but when we tried to create a project ID, we get the error below.
[Response OK] Successful connection to Appengine Admin API.
[Token] { "access_token" : "TOKEN_HERE", "expires_in" : 3599, "token_type" : "Bearer" }
[Response Code] 403
[Response Body] { "error": { "code": 403, "message": "Operation not allowed", "status": "PERMISSION_DENIED", "details": [ { "#type": "type.googleapis.com/google.rpc.ResourceInfo", "resourceType": "gae.api", "description": "The \"appengine.applications.create\" permission is required." } ] } }
We are just using the REST API calls. Request for token was successful as you can see above and the scope is ok as well. Now, when we posted the request to create application, we are having the error that says "appengine.application.create" permission required.
How do we specify the permission?
What are the possible reasons why we are getting that error? Do we missed to send a field in JSON or in query?
As per below link, we just need to pass the json containing the id and location. We also just need to pass the token in the Authorization header. The same logic I have used successfully in accessing Youtube, Drive APIs etc so not sure what needs to be done since I have followed the docs available.
I have also posted the same issue in Google Groups and now waiting for their reply.
It seems you've given no details about how you set up the account you're using to authorize the request. You'll need to make sure the appengine.applications.create permission is given to the account you're using, as mentioned in the error text. You can use the Google Identity and Access Management (IAM) API for this.
(by the way, I'd given this answer in the original thread, although you didn't reply or seem to take action on it. check it out! this is likely the solution you need!)
I have been using outlook rest api's to read/create/update calendar events of outlook account.
Followed all the steps https://dev.outlook.com/RestGettingStarted/
It works very well for the subscription account's.
But the api does not work to load the calendar events of my personal outlook account ex: phani.xxx#outlook.com.
API responds with below error:
"error": {
"code": "ErrorMissingEmailAddress",
"message": "When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids."
}
I have tried the same with outlook sandbox got the same response.
Any help on this to get this api working for any outlook account. Will be highly appreciated.
This is likely due to your account not yet being enabled for the REST API. There's an issue with the v2 endpoint not returning the proper error message in this case.
I'm trying to get a Google Cloud Storage + Google App Engine (Python) "Hello world" app running.
I have followed the instructions to activate Google Cloud Storage and created a bucket from within my App Engine app's console. I've written a trivial program to write a test file, but when I run it, the cloud storage library throws a 403, apparently because my App Engine app's credentials aren't being presented, aren't valid, or don't have rights to this bucket.
Here's the code:
BUCKET = '/pcj-info-testing'
class TestGCS(webapp2.RequestHandler):
def create_file(self, filename):
self.response.write("Creating\n");
gcs_file = gcs.open(filename, 'w', content_type = 'text/plain');
gcs_file.write('Testing, 1, 2, 3\n')
gcs_file.write('At ' + datetime.now().isoformat())
gcs_file.close()
def get(self):
self.response.headers['Content-Type'] = 'text/plain'
filename = BUCKET + "/demo-file" + str(random.randrange(10**10, 10**11-1))
self.create_file(filename)
self.response.write('File stat:\n')
stat = gcs.stat(filename)
self.response.write(repr(stat))
and here is the relevant portion of the stack trace and error:
File "/base/data/home/apps/s~pcj-info/1.373629132682543570/gcstest.py", line 14, in create_file
gcs_file = gcs.open(filename, 'w', content_type = 'text/plain');
File "/base/data/home/apps/s~pcj-info/1.373629132682543570/cloudstorage/cloudstorage_api.py", line 74, in open
return storage_api.StreamingBuffer(api, filename, content_type, options)
File "/base/data/home/apps/s~pcj-info/1.373629132682543570/cloudstorage/storage_api.py", line 597, in __init__
errors.check_status(status, [201], path, headers, resp_headers)
File "/base/data/home/apps/s~pcj-info/1.373629132682543570/cloudstorage/errors.py", line 106, in check_status
raise ForbiddenError(msg)
ForbiddenError: Expect status [201] from Google Storage. But got status 403.
Path: '/pcj-info-testing/demo-file16955619179'.
Request headers: {'x-goog-resumable': 'start', 'x-goog-api-version': '2', 'content-type': 'text/plain', 'accept-encoding': 'gzip, *'}.
Response headers: {'alternate-protocol': '443:quic', 'content-length': '146', 'via': 'HTTP/1.1 GWA', 'x-google-cache-control': 'remote-fetch', 'vary': 'Origin', 'server': 'HTTP Upload Server Built on Jan 23 2014 15:07:07 (1390518427)', 'date': 'Sat, 08 Feb 2014 16:49:56 GMT', 'content-type': 'application/xml; charset=UTF-8'}.
Extra info: None.
I've looked at the access privileges on the bucket, and they look correct (although they should have been created correctly by default, according to the documentation)—the IDs listed as mine in the Google APIs Console are the same ones in the bucket permissions, with Owner permissions.
I can see the reasons that Google might return a 403 in their Status Codes documentation, but the urlfetch library in App Engine that makes the call doesn't return these error names, as far as I can tell (I assume they are the text strings returned in the HTTP response right after the error code, but the library only gives you the integer result, I think). So I'm at a loss for what to do next.
Is there any straightforward way to capture the error being returned by the API? My troubleshooting would vary dramatically if I knew the error was AccountProblem vs. InvalidSecurity or something. It's very frustrating that the API returns error codes in a way that's not accessible to users using the recommended library on a supported cloud development platform.
If I give "All Authenticated Users" access to write, it works. So it looks like I'm authenticating as someone, but that someone isn't on the permissions list. Adding the Gmail account I'm logged in as while testing the app doesn't help. (The app requires admin login to hit all URLs.)
You need to add the appengine service account as having write permissions.
You can find the service account email under the "Application Settings" of the appengine console, under "Service Account Name".