I'm using google cloud app engine. I'm trying to programatically create new version of a service in google app engine. I tried creating IAM Service account at https://console.cloud.google.com/iam-admin/serviceaccounts with all the permissions for Google App Engine.
Result:
403 Forbidden
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I couldn't make it work both on googleapis SDK and the online version.
https://developers.google.com/apis-explorer/#p/appengine/v1/appengine.apps.services.versions.create?appsId=default&servicesId=test-11111&_h=14&resource=%257B%250A++%2522id%2522%253A+%252220191003t225144%2522%250A%257D&
tl;dr
What permissions are needed for appengine.apps.services.versions.create endpoint
It looks like you've assigned the correct roles, because all of these roles contain the appengine.versions.create permission:
Owner (roles/owner)
Editor (roles/editor)
App Engine Admin (roles/appengine.appAdmin)
App Engine Deployer (roles/appengine.deployer)
If you've already assigned those Roles to your service account, check your credentials that you're using to make the API call, and make sure you're authenticating with the right service account.
See also:
IAM Permissions Reference
Granting Roles to Service Accounts
Appengine uses the Appengine default service account, just configure your app that way and customize permissions accordingly.
I needed to have all of these 3 scopes to make it work
'https://www.googleapis.com/auth/appengine.admin',
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/cloud-platform.read-only',
Related
I have a Python Streamlit app hosted in GCP via App Engine. Following this tutorial, I added an Idenity-Aware Proxy to secure the app.
The IAP is activated and the OAuth consent screen it set to internal.
In the IAP settings, I added myself and a fellow both with the "IAP-secured Web App User"-role.
While I can access the app after login with my associated google account, he gets and "Error 403: org_internal" error when login within his associated google account.
What I already tried:
Setting the OAuth consent screen to external (test mode) and added both of us
Adding him to our GCP organization
None of both approached worked. He just can't access the app after all.
Any ideas what I am doing wrong?
I need to perform a HTTP request to a site that is hosted In an Azure App Service. This site has Azure Ad authentication enabled. The HTTP request will be performed by a MS flow. I have attempted to use basic authentication, but this fails. I am now looking at an Azure app registration to get access to the site, however I'm having issues with this too. Does anyone have any suggestions on the best approach?
Cheers
According to some test, I reproduced your issue. When you enable authentication of your app service, you need to click "Azure Active Directory" under "Authentication Providers" and register a app in your azure ad(If you do not do any other operation, the name of app registered in ad should be same as you app service. Shown like below screenshot).
Then you can use "Active Directory OAuth" as Authentication type in your "HTTP" action.
You can go to your azure ad and click "App registrations", find the app name in it. And then you can find the "Tenant id", "Client ID". You also need to new a client secret like below screenshot.
The Audience in "HTTP" action also comes from your registration app, the Audience is "Application ID URI" in the page below:
I would like to have an app deployed in App Engine to display information which are stored in BigQuery or Cloud Storage, but only if the user is authenticated in the webapp AND its permissions as set in IAM allow it.
So far, I can authenticate a user in App Engine through "Google Sign-In" as seen in https://cloud.google.com/appengine/docs/standard/python/oauth/, but those credentials don't seem to relate to those that are set in Cloud IAM.
I've seen how to set credentials for App Engine as a whole though a service account, but that seems to wide.
What I really want is to authenticate users on the web app, and then let IAM decide if those users are allowed to access data or not.
How would you proceed to do that?
Thanks for any help
The authenticating as an end user GCP documentation explains how to limit access to the project's resources using Cloud IAM. It also has a short example about authenticating an end user to call the BigQuery API.
I am trying to connect to Google Drive from my App Engine code. But it requires Client code. Google App engine generates Client code (P12 key) only for the service account. But I want it for a technical user we have created.
How can I do that?
If the "technical user" you are referring to is a #gmail account, then your only option is to do the OAUTH dance once to obtain a oauth token and refresh token. You have to create a "Client ID for web application" to do this. Once you have the auth and refresh token, you can connect as your "technical user" to Google drive.
If the "technical user" you are referring to is a Google Apps account, then you can authorize the consumer key/secret related to the service account in the Google Apps control panel with the required Drive scopes. You will have to indicate in the API call what user (i.e. the technical user) you want to impersonate when you connect to Google Drive.
We are using Google AppEngine for my site. Unfortunately I can't seem to get full owner admin access even though I am supposed to be a Super Admin according to my Google account.
When I go to Google Appengine (https://appengine.google.com/permissions....) using my Google account, it indicates I am a "developer". I believe I need full owner access in order to upload ssl certificate for the domain plus add or edit the permission. I've called Google support and they wash their hands saying the above is outside their core knowledge. Any suggestions would be most welcome.
Google Apps admin status does not give you "owner" status on AppEngine. Owner of the AppEngine app has to go to the "Permissions" tab in GAE console and grant you this status.