I am following the documentation here https://cloud.google.com/appengine/docs/managing-costs to disable App Engine using cloud functions when a spending limit is reached.
I want to disable App Engine for all projects associated with the same billing account, which the docs say should work in the following note
Note: The source code assumes that the function you are creating and the app you want to disable are in the same Google Cloud project. If the function and the app are in separate projects, change the source code so APP_NAME identifies the project that contains the app you want to disable.
But I get this error
Error: function terminated. Recommended action: inspect logs for
termination reason. Details: <HttpError 403 when requesting
https://appengine.googleapis.com/v1/apps/other-project?alt=json
returned "The caller does not have permission">
I also verified that I am using the App Engine default service account with Admin role per the docs
Select a service account that has the App Engine Admin role. The App Engine default service account has this role by default.
I modified the example for testing which is basically this
import base64
import json
import os
from googleapiclient import discovery
APP_NAME = os.getenv('GCP_PROJECT')
def limit_use_appengine(data, context):
pubsub_data = base64.b64decode(data['data']).decode('utf-8')
pubsub_json = json.loads(pubsub_data)
cost_amount = pubsub_json['costAmount']
budget_amount = pubsub_json['budgetAmount']
if cost_amount <= budget_amount:
print(f'No action necessary. (Current cost: {cost_amount})')
appengine = discovery.build(
'appengine',
'v1',
cache_discovery=False
)
apps = appengine.apps()
# for testing
display_status(apps, APP_NAME) # works fine
display_status(apps, "billing-account-project-name") # also works fine
display_status(apps, "other-project") # permission error
return
appengine = discovery.build(
'appengine',
'v1',
cache_discovery=False
)
apps = appengine.apps()
check_app(apps, "APP_NAME")
check_app(apps, "other-project")
def check_app(apps, appName):
# Get the target app's serving status
target_app = apps.get(appsId=appName).execute()
current_status = target_app['servingStatus']
# Disable target app, if necessary
if current_status == 'SERVING':
print(f'Attempting to disable app {appName}...')
body = {'servingStatus': 'USER_DISABLED'}
apps.patch(appsId=appName, updateMask='serving_status', body=body).execute()
def display_status(apps, appName):
target_app = apps.get(appsId=appName).execute()
current_status = target_app['servingStatus']
print(f'Serving status for {appName} is {current_status}')
What am I missing?
Service Accounts either inherit permissions or are assigned permission to the project. A billing account does not affect a service account's permissions.
Solution: assign permission in the project for the service account where you are getting the permissions error. If you are using Organizations, assign the permission higher up so that the service account inherits permissions to projects.
Related
Below are my requirements.
Develop a flask app.
Use collections in the firebase in the app.
Deploy this app on Google App Engine using a standard service account
What I have done.
Created a service account
Downloaded the corresponding credentials json; I am calling it as key.json
written a main.py
cred = credentials.Certificate('key.json')
default_app = initialize_app(cred)
db = firestore.client()
user_ref = db.collection_group('Users')
#app.route('/', methods=['GET'])
def home():
return "<h1>Welcome to my first app</h1>"
#app.route('/users', methods=['GET'])
def getUsers():
try:
result = [user.to_dict() for user in user_ref .stream()]
return jsonify(result), 200
except Exception as e:
result = { "message:"failed"}
return jsonify(result), 500
I have tested this locally and also on deployed on Google App Engine.
In both the cases, key.json was in the same directory as the code.
I have verified that if this key.json is modified to store wrong data, then /users endpoint won't work and gives me a 500 error.
So far so good. I want to know if this is even the right approach.
I want the key.json authentication to applied even for the root / endpoint.
i.e., if the user supplies a valid key.json, only then the Welcome to my first app should be displayed.
Else, Unauthorized user message needs to be displayed.
As mentioned by #Gaefan and #DishantMakwana, as well as in this documentation:
An API key only identifies the application and doesn't require user authentication. It is sufficient for accessing public data.
So in order to authenticate/authorize your users you should reconsider your strategy. I would recommend you to follow the instructions in the Authenticating as an end user Documentation.
I have found that we can use Google Cloud Endpoints for API management. Works as a charm.
I'm trying to create a GCP App Engine domain mapping via Terraform with the following configuration:
provider "google" {
version = "3.36.0"
region = var.region
}
resource "google_app_engine_domain_mapping" "domain_mapping" {
project = local.project_id
domain_name = var.domain_name
ssl_settings {
ssl_management_type = "AUTOMATIC"
}
depends_on = [
google_app_engine_application.backend_app
]
}
Terraform is configured to use an organization level service account for the GCP provider with the following IAM permissions (no conditions):
Billing Account User
Project Creator
Service Config Editor (I've added this thinking it would resolve the issue based on this and this doc page.)
The Google account that is the owner of the organization has verified the domain in question, yet I'm getting the following error:
Error: Error creating DomainMapping: googleapi: Error 403: Caller is not authorized to administer the domain 'testing.redacted.com'. If you own 'testing.redacted.com', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=testing.redacted.com. We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').
I've also tried adding the service account's email as a user in the Google Search Console to the domain to no avail.
The solution is rather simple but sort of hidden in the docs. You need to add your service account email as owner of the domain.
Go here
Select the property you want
Tap the "Add an owner" button at the bottom of the page and add the email address (e.g. terraform#<PROJECT_ID>.iam.gserviceaccount.com)
I'm trying to setup a google group for marketing purposes, in which when certain users sign up to my application, I send their email to this google group with the following code
# google_admin_apis.py
def add_member(member):
if not member.email:
return False
try:
service = build('admin', 'directory_v1')
except DefaultCredentialsError: # For developers
return False
group_key = 'mygroup#mydomain.com'
body = {
"email": member.email
}
members = service.members()
request = members.insert(groupKey=group_key, body=body)
response = request.execute()
return True
My application is hosted on Google App Engine, so by default ADC will use the default service account when run on the server. I have tried to run this code locally by using gcloud auth application-default-account login and logging in with my G Suite admin account, and also my personal account (both are owners of the GCP project). After this failed, I did some research and realised that to enable OAuth2 to access my G Suite User data (I'm not really accessing anything by inserting a user?!?) I had to 'enable domain wide delegation' on the default service account, so I did this, I then downloaded the service account JSON and attempted to manually authorise with $GOOGLE_APPLICATION_CREDENTIALS, but was still getting a 403. I then went one step further and followed these instructions. Giving my Client ID access to https://www.googleapis.com/auth/admin.directory.group and group.member.
After all this, I still get a 403 error.
With the application-default-credentials I get:
<HttpError 403 when requesting
https://www.googleapis.com/admin/directory/v1/groups/groupKey/members?alt=json
returned "Insufficient Permission">
When using the app engine default service account through .json with either activate-service-account or through the GOOGLE_APPLICATION_CREDENTIALS, I get:
<HttpError 403 when requesting
https://www.googleapis.com/admin/directory/v1/groups/groupKey/members?alt=json
returned "Not Authorized to access this resource/api">
(groupKey intentially censored)
In short, I have an app-engine default service account with domain wide delegation and have given it's client ID access to both roles required for the Directory API's member.insert() function, yet I am still not allowed to call the API as above.
Any help would be greatly appreciated.
I followed this tutorial https://developers.google.com/admin-sdk/directory/v1/quickstart/python to run a similar function locally using Google's google_auth_oauthlib to set up OAuth2 credentials
service = build('admin', 'directory_v1', credentials=creds)
I am using the app.yaml's login: admin in handlers to restrict access to my app only to selected Google accounts (which I can edit in IAM). I'm using the python27 standard environment on GAE.
I would like to use the JSON API my app exposes from another server app (not hosted on GAE). Using a service account looks like a straightforward solution, but I am unable to get the scopes or the request itself right, so the endpoint would see an authenticated Google user.
The service-user currently has Project/Viewer role in the IAM. I tried a few more like AppEngine/Viewer, AppEngine/Admin. I also tried some more scopes.
My test code:
"""Try do do an API request to a deployed app
with the current service account.
https://google-auth.readthedocs.io/en/latest/user-guide.html
"""
import sys
from google.auth.transport.requests import AuthorizedSession
from google.oauth2 import service_account
def main():
if len(sys.argv) < 2:
sys.exit("use: %s url" % sys.argv[0])
credentials = service_account.Credentials.from_service_account_file(
'service-user.json')
scoped_credentials = credentials.with_scopes(
['https://www.googleapis.com/auth/cloud-platform.read-only'])
authed_http = AuthorizedSession(scoped_credentials)
response = authed_http.request('GET', sys.argv[1])
print response.status_code, response.reason
print response.text.encode('utf-8')
if __name__ == '__main__':
main()
There is no error, the request behaves like unauthenticated. I checked the headers on the server, and while requesting from the browser there are several session cookies, the AuthorizedSession request contains single Authorization: Bearer .. header.
Normally the roles you would need is App Engine Admin; it's designed for this purpose. It should also work with the viewer/editor/owner primitive roles. That being said, to make sure it's not a "role" issue, simply give it the project owner role and also the explicit App Engine Admin role and try again. This will eliminate any role-based issue.
Let me know if that works for you.
I'm trying to check if a user is admin of their Google Apps domain, in an app installed from the Google Apps marketplace.
I added this to manifest.xml:
<Scope id="Provisioning API">
<Url>https://apps-apis.google.com/a/feeds/user/#readonly</Url>
<Reason>This application can list domain users to give them permissions.</Reason>
</Scope>
Then I set a test handler to get it working:
from google.appengine.ext import webapp
from google.appengine.ext.webapp import util
import gdata.alt.appengine
import gdata.apps.service
import gdata.auth
# App id, key and secret from the Google Apps Marketplace.
APPLICATION_ID = 'XXX'
CONSUMER_KEY = 'XXX'
CONSUMER_SECRET = 'XXX'
class SetupHandler(webapp.RequestHandler):
def get(self, *args):
# The domain where this app is installed.
domain = 'my_customer_domain.com'
# A username to check.
username = 'webmaster'
sig_method = gdata.auth.OAuthSignatureMethod.HMAC_SHA1
service = gdata.apps.service.AppsService(source='tipfy-com',
domain=domain)
service.SetOAuthInputParameters(sig_method, CONSUMER_KEY,
consumer_secret=CONSUMER_SECRET,
two_legged_oauth=True,
requestor_id=APPLICATION_ID)
service.ssl = True
service.debug = True
gdata.alt.appengine.run_on_appengine(service)
lookup_user = service.RetrieveUser(username)
if lookup_user.login.admin == 'true':
res = username + ' is an admin.'
else:
res = username + ' is not an admin.'
self.response.out.write(res)
app = webapp.WSGIApplication([
('/.*', SetupHandler),
], debug=True)
def main():
util.run_wsgi_app(app)
if __name__ == '__main__':
main()
But I get a 401 response ("Unknown authorization header"). I don't know what I'm doing incorrectly or how to debug it further.
Is the manifest entry correct?
Splitting user.email() is ok to get the user's username and domain? (I debugged it and in my case it was: I got 'webmaster' and 'example.com', which was the user and Google Apps domain where the app was installed).
What am I missing?
Edit: For some reason, the admin panel didn't ask permission to grant access to the provided scopes. After I granted it, the code above worked. So take it as a working example!
You don't have to re-add your app for the scopes work, just make sure in your GoogleApps admin dashboard, on the application settings, you "Grant access" and the Data Access is "Granted". Otherwise just grant that access.
Splitting user.email() works like a charm for me, because user.nickname() in localhost testing contains a full email, not like production (where it contains the username).
Make sure the user requesting is an admin.
I met exactly the same problem, which keep giving me:
Unknown authorization header
Error 401
I'm using the free version of Google Apps, is this might be the root cause of this problem? As i know Provisioning API only supports premium account.
Admin apis [provisioning api etc.] are now available to editions of Google Apps.
http://googleappsdeveloper.blogspot.com/2011/12/more-administrative-apis-now-available.html