Google Instance ssh using `gcompute`, different user name - google-app-engine

I am able to connect to my instance using gcloud compute ssh instance-1 --zone us-east1-b.
Once I log-in, I see this: wendy#instance-1. And when I ls, I don't see my files.
If I ssh using the online webpage
I seethe following:
randy#instance-1. And when I ls, I do see my files.
Ok. Both are under the same google email account, and has the same Internal IP: 10.142.0.2
My question is, how do I log-in using gcloud command, into randy#instance-1?

You can also specify a user when using the gcloud compute ssh command:
gcloud compute ssh [USER#]INSTANCE
If you omit a user, the default one will be used, which is from the environment.

Open a command prompt / shell. The execute the following command to list the users that are configured for the CLI:
gcloud auth list
The account that is the current account has the asterisk in the left column. If that is the wrong account, or to just make sure, re-authenticate:
gcloud auth login.
Use the correct credentials to login to Google Accounts.
Now you will be able to gcloud compute ssh and be logged in with the correct user credentials.
I wrote an article on Google account configurations that goes deeper into how multiple credentials are managed by the CLI and SDK.
Understanding Gcloud Configurations

My understanding is that Google automatically creates and adds a user to the newly created VMs using your Gmail name & surname as username in the name_surname format. You can see this in google cloud console -> compute engine -> metadata -> ssh keys
Google manages the private key for this account so I'm not aware of any way of connecting to this account other than the cloud console.
However you can still access to your files after you login with gcloud command. Just do sudo su and you will become root user. Then you can copy files from /home/wendy to /home/randy.

you do have two option
Fisrt is to authenticate with the right user account by running the gcloud command
gcloud auth login
And use the "randy" user account in this case, then use the gcloud command normally to ssh.
gcloud compute ssh instance-1 --zone us-east1-b
Second option is to SSH directly with the appropriate username from this documentation by running the gcloud command below.
gcloud compute ssh [USER#]INSTANCE [--zone=ZONE]
One thing, you could easily recover or copy your files by switching to the root user (you need just to run the command line "sudo su -" or "sudo -i")

If you're already logged in, and maybe don't have the option to choose a username during login (e.g. when using the iOS app), you can also use
sudo su [username]
to switch the username from an existing session.

Related

Deploy or undeploy app as a non-admin user

On Payara v5.184
Is it possible to create a non-admin user in Payara that can manage apps? i.e. a non-admin user foo would be able to run just the below commands:
asadmin undeploy <app>
asadmin deploy <app>
asadmin list-applications
What would be the commands to create foo user and enable the above on this user?
This is currently not possible but there is a request for this feature:
https://github.com/payara/Payara/issues/1600
A possible workaround would be to wrap your adminconsole calls into a bash-script and create a user with the corresponding permission.

Adding multiple accounts for "You do not have permission to modify this app" error

I have two google app engine accounts. One for business and one for personal.
In my GoogleAppEngineLauncher, I have a mix of these app engines on the same computer.
Whenever I want to deploy these apps, I have to go into the terminal and remove my auth tokens using rm ~/.appcfg_oauth2_tokens and then have the browser pop-up and re-sign into my appropriate account.
Is there a way to have multiple tokens so if one doesn't work, it'll try the next so I don't have to keep deleting my tokens and re-signing in?
Would love to have both my accounts listed so I can deploy either of them without much effort.
It's easy managing multiple accounts with the gcloud tool's auth command.
Once installed and set up, you can authenticate with:
gcloud auth login
This can be repeated multiple times for your various accounts.
To see all accounts that have been set up:
gcloud auth list
To select a particuluar account:
gcloud config set account ''ACCOUNT''

Where are the deployment parameters and credentials stored?

I am trying out the tutorial at https://console.cloud.google.com/start/appengine?project=xxxxx.
I am able to launch the app on my machine and browse it at port 8080. However when I click Deploy in the GAE Launcher, the app is deployed to localhost:8080 instead of to Google.
How do I deploy to Google's server?
My developer console is as follows:
I found the cause.
The credentials are stored in the file C:\Users\xxx\.appcfg_oauth2_tokens.
When I did the first deployment attempt, the default browser was already logged into a Google account different from the one that created the app in the Google's developer console, and I absent-mindedly authorized it. As a result, the tokens file contains the wrong credentials.
By deleting the tokens file, I was prompted to log in again and could deploy properly.

How to use Google Drive API from Google App Engine?

I have an app in GAE (Python 2.7), and now need access to Google Drive to display a (shared) list of folders and documents.
Searching usually results in pointers to DrEdit, including App Engine and Google Drive API, which asks the same question but accepts an answer I don't agree with, as DrEdit is an example app for Google Drive, not GAE.
The files list from the Drive API is what I'd like to be able to use from GAE: https://developers.google.com/drive/v2/reference/files/list
Although Google App Engine and Google Drive are both Google products, unfortunately they are not directly linked. Google Drive APIs can be accessed by the google-api-python-client library, which you have to install.
The process can be found at Python Google Drive API Quickstart Guide, and the summarized form is as follows:
On Google's side: Allow Drive API Access for your GAE program
Activate Drive API. Click the Go to credentials button to continue...
Create your consent screen: Setup your OAuth Consent Screen as Google will throw weird errors if this has not been set up:
Click on the OAuth Consent Screen tab
Select an Email address and enter a Product name.
Get credentials:
Click on the Credentials tab
Select Add credentials and then OAuth 2.0 client ID. Choose your application type, and enter the relevant details. You can change them later!
Back on the Credentials tab, download the JSON credentials (all the way to the right in the table, the download button only appears when you hover near it). Rename it client_secret.json and place it in your root code directory. You will need this to request credentials from users.
On your side: Download the google-api-python-client library, unzip it in your code directory and run python setup.py install. This will install the library which holds many Google product's APIs.
Now you are ready to use the Drive API. You can test your access using the sample code. Read it because it's a good guide for writing your own code! If you are accessing user data, you will need to request user credentials when they log in and most probably store them. Then, to use the API, the easiest way would be to get the service object:
import httplib2
from apiclient import discovery
credentials = get_credentials() #Your function to request / access stored credentials
#Authorise access to Drive using the user's credentials
http = credentials.authorise(httplib2.Http())
#The service object is the gateway to your API functions
service = discovery.build('drive', 'v2', http=http)
#Run your requests using the service object. e.g. list first 10 files:
results = service.files().list(maxResults=10).execute()
# ... etc ... Do something with results
Above code snippet is modified from sample code.
The Reference API for Google Drive can be found here.
The same general procedure is required to link GAE to other Google product's APIs as well e.g. Calendar. All the best writing your program!
For future reference (this question is quite old, but it seems like it's still an issue), now the GCP IAM API has an endpoint to get access tokens with arbitrary scopes. I'm understanding this question as a 2-legged OAuth flow (the app has access to its own Drive files), as opposed to a 3-legged OAuth flow (the app is requesting access to the Drive API on behalf of the customer).
That endpoint is used for Service Account delegation, which is a more involved flow.
You can get the right permissions on the Service Account to generate tokens for itself with this command:
gcloud iam service-accounts add-iam-policy-binding $(gcloud config get-value project)#appspot.gserviceaccount.com --member serviceAccount:$(gcloud config get-value project)#appspot.gserviceaccount.com --role roles/iam.serviceAccountTokenCreator
Example
Once the Service Account has the right permissions, you can get a token with the right scopes by first authenticating on the CLI (this step is not required on GAE, since the default service account is already authenticated):
gcloud iam service-accounts keys create key --iam-account $(gcloud config get-value project)#appspot.gserviceaccount.com
gcloud auth activate-service-account $(gcloud config get-value project)#appspot.gserviceaccount.com --key-file key
gcloud config set account $(gcloud config get-value project)#appspot.gserviceaccount.com
Then, you can make the authenticated call to the IAM API to get a token with different scopes:
curl -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'content-type:application/json' https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$(gcloud config get-value project)#appspot.gserviceaccount.com:generateAccessToken -d"{'scope':['https://www.googleapis.com/auth/drive']}"
With this token, you can directly call the Drive API for files where the default GAE service account () has access:
token=$(curl -H"Authorization: Bearer $(gcloud auth print-access-token)" -H'content-type:application/json' https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/$(gcloud config get-value project)#appspot.gserviceaccount.com:generateAccessToken -d"{'scope':['https://www.googleapis.com/auth/drive']}"|jq -r .accessToken)
curl -H"Authorization: Bearer $token" https://www.googleapis.com/drive/v3/files/<FILE_ID>
To finish, remember to clean up (delete the keys for this example):
gcloud iam service-accounts keys delete $(cat key|jq -r .private_key_id) --iam-account $(cat key|jq -r .client_email) -q
gcloud auth revoke $(gcloud config get-value project)#appspot.gserviceaccount.com
rm key
To make the call to generate the access token from GAE, you can use the Google Cloud Client Libraries. For Python, you would use google.cloud.iam_credentials_v1.IAMCredentialsClient.generate_access_token.
To summarize:
Grant iam.serviceAccountTokenCreator to the GAE default service account
Grant access to that account to the specific drive file
Generate a token with the right scopes from the IAM Credentials API (projects.serviceAccounts/generateAccessToken)
Make the authenticated call to the Drive API using that token
For best results, generate the token during initialization, cache it, and re-create it every hour (1 hour is the max TTL for those generated access tokens).

Deploy to appengine with trusted connection?

Is it possible to deploy an app to google appengine without it asking everytime for email/password, with a schema like the used by ssh trusted connection (using stored secure keys)?
This is kind of what I was looking for:
https://developers.google.com/appengine/docs/python/tools/uploadinganapp#oauth
basically, you add this parameter to the command line:
appcfg.py --oauth2 update myapp/
and it redirects to a browser, you authenticate there and it stores a token so you don't need to login each time

Resources