gcloud app ssl cert update failing with PERMISSION_DENIED - google-app-engine

I am trying to update a SSL certificate for a Google App Engine project via CLI:
gcloud app ssl-certificates update NNNN --project XXX --configuration XXX --display-name=xxx.co.za --certificate=./fullchain.pem --private-key=./privkey_gae.pem
This command used to work previously but I am now getting the following error:
ERROR: (gcloud.app.ssl-certificates.update) PERMISSION_DENIED: Caller is not authorized to administer this certificate. You must be a verified owner of the certificate's domain(s) [xxx.co.za, *.xxx.co.za] to create, modify, or delete this resource. Your authorized domain(s) are []. If you own the certificate domain(s), you can obtain authorization by verifying ownership via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification.
This error does not make sense as the domains are verified according to the URL (as they are also the custom domain used by the app itself). Also this was working just last month, so it seems that something changed?

I found the issue. Domains are verified by an IAM user, but I use a different IAM/Service-account for the CI/CD server.
It seems that the security around accessing verified domains has changed, in that the Service-account will not automatically have access to the verified domains, even though the App does.
I was able to fix this issue by adding the service-account (jenkins#XXX-ci.iam.gserviceaccount.com) as verified owner here: https://www.google.com/webmasters/verification/verification

Related

Azure Active Directory B2C AADB2C90051: No suitable claims providers were found

I have created custom policies with SSO and account migration (you can view them on GitHub here, Note: I removed/edited values for security reasons). I want users to be able to sign in with a social provider OR local account for the first time. I will then migrate their account from the legacy identity provider to AAD B2C. The following goes wrong at the moment though.
The biggest problem is when the account is migrated and the user can sign in, then when trying to link social accounts, I get the following error.
AADB2C90051: No suitable claims providers were found.
Correlation ID: 4491cd4a-2f98-4a86-8d65-da3f7f26e890
Timestamp: 2022-11-20 10:38:05Z
The weird thing is, if I first sign-in using Google or Facebook (which then migrates the account) then sign-in with Microsoft or the local account, it will work. But when first signing in with either Microsoft or a local account, I get the error.
I've seen this and other posts but cannot find what I am missing. I know the policies are very big, so to start, look in CUSTOM_USERJOURNEY.xml for ProvisionOrSignInNewSocialAccount on GitHub.
By default, the hasPassword property doesn't exist by for existing local B2C user profiles. It is introduced by the linking Custom Policy. You will need to manually (or by script) add value true for that property, and it will start working.
You can use Graph API to add value, so basically PATCH to user endpoint:
PATCH /v1.0/users/12bda93c-f782-431c-b962-52c5304c0668 HTTP/1.1
Host: graph.microsoft.com
Content-Type: application/json
Authorization: Bearer eyJ0...
{
"extension_67a963aa6ce74511923b85511f0f8dad_hasPassword" : true
}
See here for full discussion: https://bytemeta.vip/repo/azure-ad-b2c/samples/issues/430
Slightly related to this question, but scenario is different: AAD-FindLocalAccountWithSocialEmail produces No suitable claims providers were found

How to set up access to Azure blob storage from React app (deployed in Azure web app) with credentials from browser?

I got stuck on trying to access Azure blob storage from React app (thus from browser) with credentials.
And firstly I want to admit, that I am newbie in Azure, so maybe I misunderstood some basic concepts...
My current situation and goal:
I am developing React app (lets say MyReactApp). This app uses some files from Azure blob storage (lets say MyBlobStorage) -> it reads, creates and deletes blobs.
I started to develop it on my local and for this dev purpose I was connecting to MyBlobStorage with SAS - this worked perfectly.
MyReactApp is browser only, so it does not have any backend.
After finishing local development, I deployed it as Azure web app with SAS. What have I done:
created App service (lets say MyAppService)
register app in Azure Active Directory and use it as Identity Provider in MyAppService
After this the app works from Azure url perfectly too.
But my app on Azure should fulfill 2 conditions:
User has to log in with AAD account before access to MyReactApp
App itself must get rid of SAS (because it is not secure as it can be obtained from browser) and use some Azure credentials to connect to Azure blob storage
First condition - user log in:
I enabled "easy" logging in MyAppService -> Authentication and chose users, who can have access.
in Authentication section of app in AAD I set up Web type Redirect Uri as /.auth/login/aad/callback
Still everything works great - the user, who is assigned to the app, can log in and work with the app - so far so good, but now the problem comes
Second condition - I wanted to get rid of the SAS to access MyBlobStorage and use DefaultAzureCredentials:
I turned on managed identity for MyAppService and add it as Storage Blob Data Contributor for MyBlobStorage
I obtained user_impersonation and User.Read Api permissions for my app
I removed SAS and tried to add DefaultAzureCredentials to my code -> but it seems, that they can't be used in browser and only option is InteractiveBrowserCredentails
so I tried to use InteractiveBrowserCredentails like this:
this.interactiveBrowserCredential = new InteractiveBrowserCredential({
tenantId: "<appTenant>", // got from app registration on AAD
clientId: "<appClient>", // got from app registration on AAD
redirectUri: <MyAppServiceURi>/.auth/login/aad/callback // the same as in Azure AAD app,
});
this.blobSC = new BlobServiceClient(Constants.STORAGE_PATH, this.interactiveBrowserCredential);
My current result:
This shows login popup after getting to the page and after another signing in it results in error:
AADSTS9002326: Cross-origin token redemption is permitted only for the
'Single-Page Application' client-type.
I googled it of course and according to some answers I tried to change the Web type of redirect URI to SPA.
I tried it, but some other error showed up:
AADSTS9002325: Proof Key for Code Exchange is required for
cross-origin authorization code redemption.
Surprisingly this should be solved by changing from SPA to Web type...:) So I am trapped...
My expected result
In ideal world, I want to connect MyReactApp to MyBlobStorage without popup and with some secret credentials, just to say something like this.blobSC = new BlobServiceClient(Constants.STORAGE_PATH, credentials);
and be able to work with blobs.
Is it possible to access blob storage from browser without errors of course and ideally without popup, which needs another log in for user?
My complementary questions
Can I use somehow the logging info from the user (from his "easy" AAD logging)? I can get his info with GET call to /.auth/me, maybe it can be utilized, so I can use his info to access the blobs?
The solution should be working on localhost too (I tried to add http://localhost:3000/ to redirect uri, but without success), can it be done?
Thank you all, who read the whole story!

How to use Terraform `google_app_engine_domain_mapping` with service account?

I'm trying to create a GCP App Engine domain mapping via Terraform with the following configuration:
provider "google" {
version = "3.36.0"
region = var.region
}
resource "google_app_engine_domain_mapping" "domain_mapping" {
project = local.project_id
domain_name = var.domain_name
ssl_settings {
ssl_management_type = "AUTOMATIC"
}
depends_on = [
google_app_engine_application.backend_app
]
}
Terraform is configured to use an organization level service account for the GCP provider with the following IAM permissions (no conditions):
Billing Account User
Project Creator
Service Config Editor (I've added this thinking it would resolve the issue based on this and this doc page.)
The Google account that is the owner of the organization has verified the domain in question, yet I'm getting the following error:
Error: Error creating DomainMapping: googleapi: Error 403: Caller is not authorized to administer the domain 'testing.redacted.com'. If you own 'testing.redacted.com', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=testing.redacted.com. We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').
I've also tried adding the service account's email as a user in the Google Search Console to the domain to no avail.
The solution is rather simple but sort of hidden in the docs. You need to add your service account email as owner of the domain.
Go here
Select the property you want
Tap the "Add an owner" button at the bottom of the page and add the email address (e.g. terraform#<PROJECT_ID>.iam.gserviceaccount.com)

Allowing access to the Google Admin SDK Directory API in Python

I'm trying to setup a google group for marketing purposes, in which when certain users sign up to my application, I send their email to this google group with the following code
# google_admin_apis.py
def add_member(member):
if not member.email:
return False
try:
service = build('admin', 'directory_v1')
except DefaultCredentialsError: # For developers
return False
group_key = 'mygroup#mydomain.com'
body = {
"email": member.email
}
members = service.members()
request = members.insert(groupKey=group_key, body=body)
response = request.execute()
return True
My application is hosted on Google App Engine, so by default ADC will use the default service account when run on the server. I have tried to run this code locally by using gcloud auth application-default-account login and logging in with my G Suite admin account, and also my personal account (both are owners of the GCP project). After this failed, I did some research and realised that to enable OAuth2 to access my G Suite User data (I'm not really accessing anything by inserting a user?!?) I had to 'enable domain wide delegation' on the default service account, so I did this, I then downloaded the service account JSON and attempted to manually authorise with $GOOGLE_APPLICATION_CREDENTIALS, but was still getting a 403. I then went one step further and followed these instructions. Giving my Client ID access to https://www.googleapis.com/auth/admin.directory.group and group.member.
After all this, I still get a 403 error.
With the application-default-credentials I get:
<HttpError 403 when requesting
https://www.googleapis.com/admin/directory/v1/groups/groupKey/members?alt=json
returned "Insufficient Permission">
When using the app engine default service account through .json with either activate-service-account or through the GOOGLE_APPLICATION_CREDENTIALS, I get:
<HttpError 403 when requesting
https://www.googleapis.com/admin/directory/v1/groups/groupKey/members?alt=json
returned "Not Authorized to access this resource/api">
(groupKey intentially censored)
In short, I have an app-engine default service account with domain wide delegation and have given it's client ID access to both roles required for the Directory API's member.insert() function, yet I am still not allowed to call the API as above.
Any help would be greatly appreciated.
I followed this tutorial https://developers.google.com/admin-sdk/directory/v1/quickstart/python to run a similar function locally using Google's google_auth_oauthlib to set up OAuth2 credentials
service = build('admin', 'directory_v1', credentials=creds)

AppEngine domain ownership failing

Trying to upload a ssl certificate and private key file through the console and using sdk returns with the error message that i am not the administrator/owner for the domain(s), even though i have verified the domain(s) using webmaster and the owned websites are listed in the response.
gcloud app ssl-certificates create --certificate=tls.crt --display-name=harambee --private-key=tls.key
ERROR: (gcloud.app.ssl-certificates.create) User [yournamehere#harambeecloud.com] does not have permission to access app [app-project-id] (or it may not exist): Caller is not authorized to administer this certificate. You must be a verified owner of the certificate's domain(s) [www.harambee.mobi, www.harambee.co.za, harambee.co.za, www.vulindlelejozi.mobi, vulindlelejozi.co.za] to create, modify, or delete this resource. Your authorized domain(s) are [harambeecloud.com, harambee.mobi, harambee.co.za]. If you own the certificate domain(s), you can obtain authorization by verifying ownership via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification.

Resources