I'm receiving the error when deploying the flex version .net core app to GCP.
I've additionally tested via gcloud app deploy and getting the exact same issue. In the logs there are multiple errors all with audit_log, method: "google.appengine.v1.Versions.CreateVersion", with status { code: 13 }, added below.
There doesn't seem to be any other logs to help investigation.
Any advice please?
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 13
},
"authenticationInfo": {
"principalEmail": "xxxx.iam.gserviceaccount.com",
"serviceAccountKeyName": "//iam.googleapis.com/projects/xxxxxx/serviceAccounts/xxxx.iam.gserviceaccount.com/keys/xxxxxxxxxxxx"
},
"requestMetadata": {
"callerIp": "xx.xx.xx.xx",
"requestAttributes": {
"time": "2021-01-21T15:32:15.695398Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "appengine.googleapis.com",
"methodName": "google.appengine.v1.Versions.CreateVersion",
"authorizationInfo": [
{
"resource": "apps/xxxxxxxx/services/default/versions/XYZ",
"permission": "appengine.versions.create",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "apps/xxxxxxxx/services/default/versions/XYZ",
"serviceData": {
"#type": "type.googleapis.com/google.appengine.v1.AuditData",
"createVersion": {
"request": {
"parent": "apps/xxxxxxxx/services/default",
"version": {
"id": "XYZ",
"automaticScaling": {
....
},
"resources": {
....
},
"runtime": "aspnetcore",
"env": "flex",
"servingStatus": "SERVING",
"envVariables": {
"GCLOUD_PROJECT_NUMBER": "xxxxxxx"
},
"readinessCheck": {
....
},
"livenessCheck": {
....
}
}
}
}
},
"resourceLocation": {
"currentLocations": [
....
]
}
},
"insertId": "crndlud361i",
"resource": {
"type": "gae_app",
"labels": {
....
}
},
"timestamp": "2021-01-21T15:32:15.695398Z",
"severity": "ERROR",
"logName": "projects/xxxxxxxx/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2021-01-21T15:32:15.683297004Z"
}
Raised a ticket with Google to advise on the issue. I'm not sure the guys got to the bottom of it, however what sorted it in the end was this recommendation:
Can you try to disable and enable again App Engine Admin API in
Console->Api & Services section and try to deploy again? If it doesn't
help try to also disable/enable Google App Engine Flexible Environment API and try again.
Update: G guys got to the bottom of it. It was a permission removed for a App Engine Flexible Environment Service Agent role.
Google engineers confirmed they will look into improving an error details.
Related
Could really use some help here. I have a GAE NodeJS app in the standard environment. Until a few days ago (09/23) it was running just fine, it would respond to requests as expected, etc.
Today, the app responds with 403's when I try to make any request to my appspot url. I'm 100% certain this is not a code issue, as if I deploy the same code to GAE in another project, it works fine. Furthermore, the only firewall rule is a wildcard to allow all traffic.
Edit: adding the only relevant-looking log entry I see from the project:
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "address#domain.com"
},
"requestMetadata": {
"callerIp": "x.x.x.x",
"requestAttributes": {
"time": "2021-09-23T15:04:05.198927Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "appengine.googleapis.com",
"methodName": "google.appengine.v1.Services.UpdateService",
"authorizationInfo": [
{
"resource": "apps/my-google-cloud-project-id/services/default",
"permission": "appengine.services.update",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "apps/my-google-cloud-project-id/services/default",
"serviceData": {
"#type": "type.googleapis.com/google.appengine.v1.AuditData",
"updateService": {
"request": {
"name": "apps/my-google-cloud-project-id/services/default",
"service": {
"networkSettings": {
"ingressTrafficAllowed": "INGRESS_TRAFFIC_ALLOWED_INTERNAL_AND_LB"
}
},
"updateMask": "networkSettings"
}
}
},
"resourceLocation": {
"currentLocations": [
"us-east1"
]
}
},
"insertId": "an-id",
"resource": {
"type": "gae_app",
"labels": {
"project_id": "my-google-cloud-project-id",
"zone": "",
"module_id": "default",
"version_id": ""
}
},
"timestamp": "2021-09-23T15:04:05.131761Z",
"severity": "NOTICE",
"logName": "projects/my-google-cloud-project-id/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "some-operation-uuid",
"producer": "appengine.googleapis.com/admin",
"first": true
},
"receiveTimestamp": "2021-09-23T15:04:05.495890906Z"
}
I don't recall making this change, and I'm not sure what the ingressTrafficAllowed value was before.
Somehow the ingress setting on the GAE service got changed. I believe that issue was fixed by going to GCP console > App Engine > Services > select affected service(s) -> Edit ingress setting from the top, and select the appropriate value.
I say I believe this fixed the issue as I was still getting 403's on my appspot url after doing this, and ultimately I ended up deleting and re-creating the project from scratch, which got everything working again. Clearly there was some misconfiguration somewhere in my project, but GCP does not make it easy to diagnose what the issue might be.
I'am evaluating a Quarkus application on App Engine.
The application needs a Postgres DB on Cloud SQL, where I named the instance 'quarkus'.
But I'am stuck getting these access error:
Not authorized to access instance: addlogic-foodiefnf-1:quarkus
The serviceAccount:addlogic-foodiefnf-1#appspot.gserviceaccount.com has these roles:
Cloud SQL Admin
Cloud SQL Service Agent
Editor
What I'am missing?
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7,
"message": "Not authorized to access instance: addlogic-foodiefnf-1:quarkus "
},
"authenticationInfo": {
"principalEmail": "addlogic-foodiefnf-1#appspot.gserviceaccount.com",
"serviceAccountDelegationInfo": [
{
"firstPartyPrincipal": {
"principalEmail": "app-engine-appserver#prod.google.com"
}
}
],
"principalSubject": "serviceAccount:addlogic-foodiefnf-1#appspot.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "107.178.230.54",
"requestAttributes": {
"time": "2021-09-27T06:18:33.283490Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "cloudsql.googleapis.com",
"methodName": "cloudsql.instances.connect",
"authorizationInfo": [
{
"resource": "instances/quarkus ",
"permission": "cloudsql.instances.connect",
"granted": true,
"resourceAttributes": {
"service": "sqladmin.googleapis.com",
"name": "projects/addlogic-foodiefnf-1/instances/quarkus ",
"type": "sqladmin.googleapis.com/Instance"
}
}
],
"resourceName": "instances/quarkus ",
"request": {
"#type": "type.googleapis.com/google.cloud.sql.v1beta4.SqlInstancesCreateEphemeralCertRequest",
"instance": "europe-west3~quarkus ",
"project": "addlogic-foodiefnf-1",
"body": {}
},
"response": {}
},
"insertId": "-il5zyxe1b1rn",
"resource": {
"type": "cloudsql_database",
"labels": {
"project_id": "addlogic-foodiefnf-1",
"database_id": "addlogic-foodiefnf-1:quarkus ",
"region": "europe-west3"
}
},
"timestamp": "2021-09-27T06:18:33.270158Z",
"severity": "ERROR",
"logName": "projects/addlogic-foodiefnf-1/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2021-09-27T06:18:33.799357464Z"
}
Background story:
I've set up my quarkus application regarding to
https://quarkus.io/guides/deploying-to-google-cloud
but class 'PostgreSQL10Dialect'failed to load:
See Why is class PostgreSQL10Dialect not found on Quarkus in Google App Engine java11?
At this current post here I like to learn how to debug the access error at Google App Engine to Cloud SQL.
Cloud SQL instance is set up with public IP. Is there anymore setup needed at Cloud SQL instance?
As said above, service account at standard app engine has role 'Cloud SQL Admin' as required by
https://cloud.google.com/sql/docs/postgres/connect-app-engine-standard#java
Any help appreciated.
I understand that using ´quarkus.datasource.db-kind=postgresql´ triggers hibernate to do auto configuration. And therefore the connection can not be established.
I have to use quarkus.datasource.db-kind=other to prevent Quarkus auto-configuration and access problems.
(As this solves this question here, my issue at Why is class PostgreSQL10Dialect not found on Quarkus in Google App Engine java11? is still open.)
I have custom skill that calls web service i created. I am able to launch and get other intent, but i am not getting notification when permission for notification is changed by user of my skill. I need he notification event to get user id for sending push notifications later by other service.
Below is my json file:
{
"manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": "https://pathToMyService",
"sslCertificateType": "Wildcard"
},
"interfaces": []
}
},
"events": {
"publications": [
{ "eventName": "AMAZON.TrashCollectionAlert.Activated" },
{ "eventName": "AMAZON.MessageAlert.Activated" }
],
"subscriptions": [
{ "eventName": "SKILL_PROACTIVE_SUBSCRIPTION_CHANGED" },
{ "eventName": "SKILL_ENABLED" },
{ "eventName": "SKILL_DISABLED" },
{ "eventName": "SKILL_PERMISSION_ACCEPTED" },
{ "eventName": "SKILL_PERMISSION_CHANGED" },
],
"regions": {
"NA": {
"endpoint": {
"uri": "https://pathToMyService",
"sslCertificateType": "Wildcard"
}
}
},
"endpoint": {
"uri": "https://pathToMyService",
"sslCertificateType": "Wildcard"
}
},
"manifestVersion": "1.0",
"permissions": [
{ "name": "alexa::devices:all:notifications:write" }
],
"publishingInformation": {
"locales": {
"en-US": { "name": "Test Events" }
}
}
}
}
Below is the Launch request: I have truncated applicatioId, userID, consentToken, deviceId, apiAccessToken
{"version":"1.0","session":{"new":true,"sessionId":"amzn1.echo-api.session.60ad1e76-0872-4e10-b79d-7144cdf3e1c9","application":{"applicationId":"amzn1.ask.skill.59d60703"},"user":{"userId":"amzn1.ask.account.AGB7EOY","permissions":{"consentToken":"eyJ0eXAiOiJKV1"}}},"context":{"System":{"application":{"applicationId":"amzn1.ask.skill.59d60703"},"user":{"userId":"amzn1.ask.account.AGB7EOY","permissions":{"consentToken":"eyJ0eXAiOiJKV1Qi"}},"device":{"deviceId":"amzn1.ask.device.AFNXDZOAEMFDFKK","supportedInterfaces":{}},"apiEndpoint":"https://api.amazonalexa.com","apiAccessToken":"eyJ0eXAiOiJKV1Qi"}},"request":{"type":"LaunchRequest","requestId":"amzn1.echo-api.request.adb318af-1977-4b36-b8ad-0bb4352fa563","timestamp":"2020-03-22T23:37:55Z","locale":"en-US","shouldLinkResultBeReturned":false}}
Thanks
I resolved the issue: When I updated by skill.json file using
ask api update-skill -s amzn1.ask.skill.59d6 -f Test.json
it didn't update properly. I noticed today when I got latest
ask api get-skill -s amzn1.ask.skill.59d6 >Test2.json
the event section was missing. I added back and reapplied and it's working now.
I'm implementing an Alexa Smart Home skill and I want to know if a user is still using the app after a while.
Google Home, for example, sends a request when I unlink my app from the Google Smarthome app. I need to know it to disable sending updates to Amazon Alexa gateway if a user isn't using the skill anymore.
What the best way of doing it? Alexa documentation doesn't talk about it.
Can I rely on just checking if the user has a expired OAuth tokens? E.g. if expired for more than a day, mark user as inactive.
Another thing I'm going to test out tomorrow is just see the gateway response after having unlinked the skill. But for my case it wouldn't be good option anyway, as I will only know the user state after a physical change and trying to submit it and have it possibly fail. Which can happen after days or weeks, so it isn't that reliable.
You can integrate with Alexa Skill Events and get notification when user disables the Skill.
https://developer.amazon.com/docs/smapi/skill-events-in-alexa-skills.html#skill-disabled-event.
The SkillDisabled event only contains user_id (i.e. no access token). So you would also need to listen for the SkillAccountLinked event so you can link that user_id with your own user identifier.
Your Smart Home Skill manifest should look like this:
{
"manifest": {
"publishingInformation": {
"locales": {
"en-US": {
"summary": "...",
"examplePhrases": [
"Alexa, ...",
"Alexa, ...",
"Alexa, ..."
],
"keywords": [],
"name": "...",
"smallIconUri": "...",
"description": "...",
"largeIconUri": "..."
}
},
"isAvailableWorldwide": false,
"testingInstructions": "...",
"category": "SMART_HOME",
"distributionCountries": [
"US"
]
},
"apis": {
"smartHome": {
"endpoint": {
"uri": "arn:aws:lambda:..."
},
"protocolVersion": "3"
}
},
"manifestVersion": "1.0",
"permissions": [
{
"name": "alexa::async_event:write"
}
],
"privacyAndCompliance": {
"allowsPurchases": false,
"locales": {
"en-US": {
"termsOfUseUrl": "...",
"privacyPolicyUrl": "..."
}
},
"isExportCompliant": true,
"containsAds": false,
"isChildDirected": false,
"usesPersonalInfo": false
},
"events": {
"endpoint": {
"uri": "arn:aws:lambda:..."
},
"subscriptions": [
{
"eventName": "SKILL_ENABLED"
},
{
"eventName": "SKILL_DISABLED"
},
{
"eventName": "SKILL_PERMISSION_ACCEPTED"
},
{
"eventName": "SKILL_PERMISSION_CHANGED"
},
{
"eventName": "SKILL_ACCOUNT_LINKED"
}
],
"regions": {
"NA": {
"endpoint": {
"uri": "arn:aws:lambda:..."
}
}
}
}
}
}
I'm working with couchbase lite .net sdk, and I got a example from below url.
and my configuration file is like below.
{
"log": ["HTTP+"],
"adminInterface": "0.0.0.0:4985",
"interface": "0.0.0.0:4984",
"databases": {
"db": {
"server": "walrus:data",
"bucket": "todo",
"users": {
"GUEST": {"disabled": false, "admin_channels": ["*"] }
}
}
}
}
when I run the wpf app, I'm getting error like below image.
image
Please help me, I'm not sure how to implement couchbase sync gateway.
I fixed the issue.
I add shadow property to configuration json file.
You can read more information from these links.
https://groups.google.com/forum/#!topic/mobile-couchbase/NWd8xqPOjsc
https://github.com/couchbase/sync_gateway/wiki/Bucket-Shadowing
{
"interface": ":4984",
"adminInterface": ":4985",
"log": [ "*" ],
"databases": {
"sync_gateway": {
"server": "walrus:",
"bucket": "sync_gateway",
"users": {
"GUEST": {
"disabled": false,
"admin_channels": [ "*" ]
},
"user": {
"admin_channels": [ "*" ],
"password": "user"
}
},
"sync": `function(doc){ "channel(doc.channels); }`,
,
"shadow": {
"server": "http://couchbase-dev.thisisdmg.com:8091",
"bucket": "sales_agent"
}
}
}
}