I created an API using Python + FastAPI and deployed it to Google App Engine and I would like to measure the cost for each request made.
I saw there is a header "x-appengine-estimated-cpm-us-dollars" that show up when logged in with the owner account on GAE, but I didn't see it when accessed the API using the browser "https://example.uc.r.appspot.com/api"
Any idea how to can I see this header or a way to get an estimated cost for each request made?
Note: the deployed script is an API, not a website with auth like the one mentioned here (Usage of X-AppEngine-Estimated-CPM-US-Dollars in AppEngine)
According to the documentation:
If you access dynamic pages on your site while signed in using an administrator account, App Engine includes per-request statistics in the response headers
And then shows the description for this particular header, therefore, this is not something that is available for APIs hosted in AppEngine.
You could alternatively use the Cloud Billing API to gather some information, although not exactly the same.
Related
I have an API made with NodeJS (NodeJS v10 + Express v4.16 + Node-Fetch v2.3) and into this API, I have one endpoint that need to consume content from a third-party API/Service via HTTP Request (POST)
The problem is: This third-party API only accepts requests coming from Brazil
In the past, my API was hosted on Digital Ocean, but with this rule I have migrated to GCP (since DO doesn't have hosts in Brazil) and created my App Engine Application under region southamerica-east1 (Sao Paulo/Brazil according with this document)
And yeah... It works on my machine ¯|_(ツ)_/¯
What's happening: Sometimes the requests runs Ok, working fine, but after some version updates (I'm using CI/CD to make de deployment) the requests goes down.
The Question: Exist a way to control my application to only use the hosted region to make the outgoing requests??
PS* I'm not using flex env, purposely to prevent auto-scale (and cost elevation). (I don't know if I'm right about it because I'm new on GCP)
The IPs of Google Cloud Platform share the same geolocation (US) so I would say that it's expected for the requests to fail. You can have a look at this and this questions for more info and potential workarounds.
I'm going to be making queries to Balanced's credit card processing servers using tokens stored in the App Engine datastore. This requires using an API secret string for the queries. If I hardcode the API secret into my app code and disable source downloading by admins, is there any way for a potentially malicious admin (who doesn't know the secret) to find out what the secret is (assuming it's in the code, not the datastore)?
I'm using Google App Engine for Java. The API secret is just a string.
Thanks
If no "potentially malicious" people have access to your source code, it is perfectly safe to include an API secret in your server-side code.
All samples for App Engine to API code include "hardcoded" API/client secrets. For example: here.
I've created the game thru Google Play Developer Console (it is ready for testing, but not published yet).
Two service accounts are added there as testers - myappid#appspot.gserviceaccount.com (Google App Engine service account) and 64436212345-enq9gkd1abcdefghjec2kha39je5ojsc#developer.gserviceaccount.com (manually created service account, it was created before an access to Google Play Game Services API was given). First one is used for production GAE environment, second one is for development environment (run with --appidentity_email_address). Both accounts work well with Google Analytics API.
Now I try to use these accounts to work with Google Play Game Services API.
The following code is used for authorization and works fine:
credentials = AppAssertionCredentials(scope=['https://www.googleapis.com/auth/games', 'https://www.googleapis.com/auth/plus.login'])
http = credentials.authorize(httplib2.Http(memcache))
But I am getting an error when trying to access achievements definition (also tried to get application metadata - got the same issue):
response = service.achievementDefinitions().list().execute()
In development environment I get
<HttpError 404 when requesting https://www.googleapis.com/games/v1/achievements?alt=json returned "The requested application with ID 64436212345 was not found.">
and in production:
<HttpError 500 when requesting https://www.googleapis.com/games/v1/achievements?alt=json returned "">
What is wrong there? Are service accounts supported by Google Play Services API?
Upd. Further analysis showed that 64436212345 is an ID of my GAE application, when an ID of my Google Play application is 760943112345.
So, I went to Google Developer Console for application 760943112345 and added 64436212345-enq9gkd1abcdefghjec2kha39je5ojsc#developer.gserviceaccount.com and myappid#appspot.gserviceaccount.com as the member their. It didn't help.
Then I generated new service account ID there and run GAE locally with this service account. In result, I've started to get
<HttpError 401 when requesting https://www.googleapis.com/games/v1/applications/760943112345?alt=json returned "User has not completed registration.">
Of course, my service account doesn't have Google+ profile.
I am also struggling with service accounts and Google game services, and am stuck at the same point (my service account doesn't have a G+ account).
The only indication I have found in the Google literature (supposedly Updated Jan 22, 2014) says service accounts are not supported:
Warning: Very few Google APIs currently support Service Accounts. Service accounts are >currently supported by the following Google developer services:
Google Cloud Storage
Google Prediction API
Google URL Shortener
Google OAuth 2.0 Authorization Server
Google BigQuery
This is embedded in some google api php client documentation however, so I cannot attest its validity.
Let me know if you have any luck getting this to work and I'll do the same!
Edit: here is the actual answer:
You have to create another API project and link it to your game's project, as explained in Getting Started with the Google Play Games Services Publishing API. The service accounts that you add to your game's project won't work. Also, you have to add this new API project through Google Play Developer Console, and not through Google Developers Console. As far as I remember, you go to the latter to get your key only. This whole situation took me forever to figure out.
I'm keeping the below text for future reference:
Edit: I wrote the answer below, thinking that you did not talk about the Publishing API. But you are, it seems. Or an earlier version of it. I hope the below answer will be useful for people looking to access Management API with a service account:
I struggled with the same and concluded that service accounts do not work with the GPGS Management API, which is the API that deals with achievements and things of that sort. Here are the facts that I used to reach this conclusion:
The only place in GPGS docs that service accounts are mentioned is the Publishing API.
Management API Docs contains descriptions for each function about the authorization requirements such as: "This method is only available to user accounts for your developer console.", while Publishing API Docs have no such descriptions.
The sample app for Management API does not use a service account.
It would be nice if this was a bit clearer in the GPGS docs. The generic Google Cloud docs that they link from GPGS pages made me believe that service accounts would work.
I have a Google App Engine web app that runs the majority of my site. However, for certain functions, I need a linux machine. I would like my Google App Engine app to automatically spin-up a Google Compute Instance on certain events.
I understand that you can add Google Compute instances using the Compute Engine REST API. However, in order to access the Google Compute REST API, you need to get an access token using the OAuth2 authentication process.
How can I programmatically get an access token from within Google App Engine?
It seems that all of the authentication methods require a window to appear so you can type in your username and password, which is impractical from within Google App Engine.
Here is a complete example of using service accounts and App Engine cron tasks to stop instances after they've been running for a while:
(opposite of starting instances, but the authorization code will be the same)
https://github.com/GoogleCloudPlatform/compute-appengine-timeout-python
AppAssertionCredentials handles the access token using this code:
# Obtain App Engine AppAssertion credentials and authorize HTTP connection.
# https://developers.google.com/appengine/docs/python/appidentity/overview
credentials = AppAssertionCredentials(
scope='https://www.googleapis.com/auth/compute')
HTTP = credentials.authorize(httplib2.Http(memcache))
# Build object for the 'v1beta15' version of the GCE API.
# https://developers.google.com/compute/docs/reference/v1beta13/
compute = build('compute', 'v1beta15', http=HTTP)
You should be able to use the service account associated with your project to authenticate to the Compute Engine API and launch VMs.
Documentation on service accounts suggests that the following python code should fetch a service account token.
import httplib2
import discovery
from oauth2client.appengine import AppAssertionCredentials
...
credentials = AppAssertionCredentials(
scope='https://www.googleapis.com/auth/compute')
auth_http = credentials.authorize(httplib2.Http())
compute_service = discovery.build('compute', 'v1beta15', http=auth_http)
I'd thought that the Google I/O demo from this year where they built a video-sharing site was going to be available, but I don't see it on GitHub yet. There are a number of demos that use AppEngine to control GCE, but most of them seem to use the user's project and credentials, rather the app's own credentials.
Obviously, you probably don't want to spin up a VM on direct user input unless you've got a very large budget or some form of rate limiting in place, but it's quite helpful to spin up a VM now and then when you've got a lot of computation to do. (Transcoding, etc.)
I have a website that uses Twitter API. The thing is that site becomes blank once the API limit is reached (I think) and then after a while it starts displaying the results.
I am running on GAE appspot. Because I have the appspot subdomain, does this mean that I can never be blacklisted?
Also what is the use of a Twitter API, when I can directly search Twitter publicly?
No, your application can be blacklisted.
The REST API does account- and
IP-based rate limiting.
You cant even be in their whitelist in this situation (being in Google App Engine), acoording to their documentation:
(...) This works in most situations but for
cloud platforms like Google App
Engine, applications without a static
IP addresses cannot receive Search
whitelisting. (...)
(emphasis is mine)
Read Twitter Rate Limit for complete information about other limits and information.
If your application is being blocked due to exceeding the limit, then you should get a 400 HTTP response code. If you've written your application such that it generates a blank page when it gets an HTTP failure, then you have your answer. (How you check for HTTP errors in your particular development framework is a separate matter.)
You should use the API instead of scraping the public Twitter pages because IP addresses are subject to API rate limiting just like authenticated API accounts. When you authenticate with your account, you're not subject to the IP limit, so other people abusing Twitter from the same IP address (as might happen from a shared server environment like Google's) won't limit your use. This is all explained in the Rate limiting documentation from Twitter.