Authorize requests to app engine app with a service account - google-app-engine

I am using the app.yaml's login: admin in handlers to restrict access to my app only to selected Google accounts (which I can edit in IAM). I'm using the python27 standard environment on GAE.
I would like to use the JSON API my app exposes from another server app (not hosted on GAE). Using a service account looks like a straightforward solution, but I am unable to get the scopes or the request itself right, so the endpoint would see an authenticated Google user.
The service-user currently has Project/Viewer role in the IAM. I tried a few more like AppEngine/Viewer, AppEngine/Admin. I also tried some more scopes.
My test code:
"""Try do do an API request to a deployed app
with the current service account.
https://google-auth.readthedocs.io/en/latest/user-guide.html
"""
import sys
from google.auth.transport.requests import AuthorizedSession
from google.oauth2 import service_account
def main():
if len(sys.argv) < 2:
sys.exit("use: %s url" % sys.argv[0])
credentials = service_account.Credentials.from_service_account_file(
'service-user.json')
scoped_credentials = credentials.with_scopes(
['https://www.googleapis.com/auth/cloud-platform.read-only'])
authed_http = AuthorizedSession(scoped_credentials)
response = authed_http.request('GET', sys.argv[1])
print response.status_code, response.reason
print response.text.encode('utf-8')
if __name__ == '__main__':
main()
There is no error, the request behaves like unauthenticated. I checked the headers on the server, and while requesting from the browser there are several session cookies, the AuthorizedSession request contains single Authorization: Bearer .. header.

Normally the roles you would need is App Engine Admin; it's designed for this purpose. It should also work with the viewer/editor/owner primitive roles. That being said, to make sure it's not a "role" issue, simply give it the project owner role and also the explicit App Engine Admin role and try again. This will eliminate any role-based issue.
Let me know if that works for you.

Related

Service to service requests on App Engine with IAP

I'm using Google App Engine to host a couple of services (a NextJS SSR service and a backend API built on Express). I've setup my dispatch.yaml file to route /api/* requests to my API service and all other requests get routed to the default (NextJS) service.
dispatch:
- url: '*/api/*'
service: api
The problem: I've also turned on Identity-Aware Proxy for App Engine. When I try to make a GET request from my NextJS service to my API (server-side, via getServerSideProps) it triggers the IAP sign-in page again instead of hitting my API. I've tried out a few ideas to resolve this:
Forwarding all cookies in the API request
Setting the X-Requested-With header as mentioned here
Giving IAP-secured Web App User permissions to my App Engine default service account
But nothing seems to work. I've confirmed that turning off IAP for App Engine allows everything to function as expected. Any requests to the API from the frontend also work as expected. Is there a solution I'm missing or a workaround for this?
You need to perform a service to service call. That's no so simple and you have not really example for that. Anyway I tested (in Go) and it worked.
Firstly, based your development on the Cloud Run Service to Service documentation page.
You will have this piece of code in NodeJS sorry, I'm not a NodeJS developer and far least a NexJS developer, you will have to adapt
// Make sure to `npm install --save request-promise` or add the dependency to your package.json
const request = require('request-promise');
const receivingServiceURL = ...
// Set up metadata server request
// See https://cloud.google.com/compute/docs/instances/verifying-instance-identity#request_signature
const metadataServerTokenURL = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=';
const tokenRequestOptions = {
uri: metadataServerTokenURL + receivingServiceURL,
headers: {
'Metadata-Flavor': 'Google'
}
};
// Fetch the token, then provide the token in the request to the receiving service
request(tokenRequestOptions)
.then((token) => {
return request(receivingServiceURL).auth(null, null, true, token)
})
.then((response) => {
res.status(200).send(response);
})
.catch((error) => {
res.status(400).send(error);
});
This example won't work because you need the correct audience. Here, the variable is receivingServiceURL. It's correct for Cloud Run (and Cloud Functions) but not for App Engine behind IAP. You need to use the Client ID of the OAuth2 credential named IAP-App-Engine-app
Ok, hard to understand what I'm talking about. So, go to the console, API & Services -> Creentials. From there, you have a OAuth2 Client ID section. copy the Client ID column of the line IAP-App-Engine-app, like that
Final point, be sure that your App Engine default service account has the authorization to access to IAP. And add it as IAP-secured Web App User. The service account has this format <PROJECT_ID>#appspot.gserviceaccount.com
Not really clear also. So, go to the IAP page (Security -> Identity Aware Proxy), click on the check box in front of App Engine and go the right side of the page, in the permission panel
In the same time, I can explain how to deactivate IAP on a specific service (as proposed by NoCommandLine). Just a remark: deactivate security when you have trouble with it is never a good idea!!
Technically, you can't deactive IAP on a service. But you can grant allUsers as IAP-secured Web App User on a specific service (instead of clicking on the checkbox of App Engine, click on the checkbox of a specific service). And like that, even with IAP you authorized all users to access to your service. it's an activation without checks in fact.

Authentication using Google Service Account in a flask app and deploying on Google App Engine

Below are my requirements.
Develop a flask app.
Use collections in the firebase in the app.
Deploy this app on Google App Engine using a standard service account
What I have done.
Created a service account
Downloaded the corresponding credentials json; I am calling it as key.json
written a main.py
cred = credentials.Certificate('key.json')
default_app = initialize_app(cred)
db = firestore.client()
user_ref = db.collection_group('Users')
#app.route('/', methods=['GET'])
def home():
return "<h1>Welcome to my first app</h1>"
#app.route('/users', methods=['GET'])
def getUsers():
try:
result = [user.to_dict() for user in user_ref .stream()]
return jsonify(result), 200
except Exception as e:
result = { "message:"failed"}
return jsonify(result), 500
I have tested this locally and also on deployed on Google App Engine.
In both the cases, key.json was in the same directory as the code.
I have verified that if this key.json is modified to store wrong data, then /users endpoint won't work and gives me a 500 error.
So far so good. I want to know if this is even the right approach.
I want the key.json authentication to applied even for the root / endpoint.
i.e., if the user supplies a valid key.json, only then the Welcome to my first app should be displayed.
Else, Unauthorized user message needs to be displayed.
As mentioned by #Gaefan and #DishantMakwana, as well as in this documentation:
An API key only identifies the application and doesn't require user authentication. It is sufficient for accessing public data.
So in order to authenticate/authorize your users you should reconsider your strategy. I would recommend you to follow the instructions in the Authenticating as an end user Documentation.
I have found that we can use Google Cloud Endpoints for API management. Works as a charm.

Allowing access to the Google Admin SDK Directory API in Python

I'm trying to setup a google group for marketing purposes, in which when certain users sign up to my application, I send their email to this google group with the following code
# google_admin_apis.py
def add_member(member):
if not member.email:
return False
try:
service = build('admin', 'directory_v1')
except DefaultCredentialsError: # For developers
return False
group_key = 'mygroup#mydomain.com'
body = {
"email": member.email
}
members = service.members()
request = members.insert(groupKey=group_key, body=body)
response = request.execute()
return True
My application is hosted on Google App Engine, so by default ADC will use the default service account when run on the server. I have tried to run this code locally by using gcloud auth application-default-account login and logging in with my G Suite admin account, and also my personal account (both are owners of the GCP project). After this failed, I did some research and realised that to enable OAuth2 to access my G Suite User data (I'm not really accessing anything by inserting a user?!?) I had to 'enable domain wide delegation' on the default service account, so I did this, I then downloaded the service account JSON and attempted to manually authorise with $GOOGLE_APPLICATION_CREDENTIALS, but was still getting a 403. I then went one step further and followed these instructions. Giving my Client ID access to https://www.googleapis.com/auth/admin.directory.group and group.member.
After all this, I still get a 403 error.
With the application-default-credentials I get:
<HttpError 403 when requesting
https://www.googleapis.com/admin/directory/v1/groups/groupKey/members?alt=json
returned "Insufficient Permission">
When using the app engine default service account through .json with either activate-service-account or through the GOOGLE_APPLICATION_CREDENTIALS, I get:
<HttpError 403 when requesting
https://www.googleapis.com/admin/directory/v1/groups/groupKey/members?alt=json
returned "Not Authorized to access this resource/api">
(groupKey intentially censored)
In short, I have an app-engine default service account with domain wide delegation and have given it's client ID access to both roles required for the Directory API's member.insert() function, yet I am still not allowed to call the API as above.
Any help would be greatly appreciated.
I followed this tutorial https://developers.google.com/admin-sdk/directory/v1/quickstart/python to run a similar function locally using Google's google_auth_oauthlib to set up OAuth2 credentials
service = build('admin', 'directory_v1', credentials=creds)

Google Directory API always return 403 when using OAuth2.0 even after user consent

I am working on a web app and struggling with Google Directory API.
The app is trying to get the list of the google groups user belongs to with the simple code as following:
from apiclient import discovery
from google.appengine.api import users
from oauth2client.appengine import OAuth2DecoratorFromClientSecrets
def decorator():
....(some scopes including admin.directory.group)
return decorator
class MainHandler(webapp2.RequestHandler):
#decorator.oauth_required
def get(self):
me = users.get_current_user()
http = oauth_decorator.http()
service = discovery.build('admin', 'directory_v1', http=http)
grouplist = service.groups().list(userKey=me).execute()
....
This results in 403 Not Authorized to access this resource while Admin SDK is enabled. There are a lot of questions report similar problems but the major difference is I am trying to use OAuth2.0 instead of using service account, which means the user need explicitly consent and grant the authority I ask for.
So my guessing is for some reason, the request is not with the proper user authorization code, but I have no idea how I can prove my suspicion and how I can make it work. Any suggestions? Much thanks in advance!
I contacted Google and it turns out to be that I need to be domain administrator in order to use ANY Admin APIs listed.
Not quite feasible in my case, so I am trying to find ways around.
Since there is a scope defined for each API, the admin will need to grant a consent for it at the time of token generation. If you are using OAuth2.0, once you generate a refresh token, you are good to go.

Marketplace app + Provisioning API: check if user is admin

I'm trying to check if a user is admin of their Google Apps domain, in an app installed from the Google Apps marketplace.
I added this to manifest.xml:
<Scope id="Provisioning API">
<Url>https://apps-apis.google.com/a/feeds/user/#readonly</Url>
<Reason>This application can list domain users to give them permissions.</Reason>
</Scope>
Then I set a test handler to get it working:
from google.appengine.ext import webapp
from google.appengine.ext.webapp import util
import gdata.alt.appengine
import gdata.apps.service
import gdata.auth
# App id, key and secret from the Google Apps Marketplace.
APPLICATION_ID = 'XXX'
CONSUMER_KEY = 'XXX'
CONSUMER_SECRET = 'XXX'
class SetupHandler(webapp.RequestHandler):
def get(self, *args):
# The domain where this app is installed.
domain = 'my_customer_domain.com'
# A username to check.
username = 'webmaster'
sig_method = gdata.auth.OAuthSignatureMethod.HMAC_SHA1
service = gdata.apps.service.AppsService(source='tipfy-com',
domain=domain)
service.SetOAuthInputParameters(sig_method, CONSUMER_KEY,
consumer_secret=CONSUMER_SECRET,
two_legged_oauth=True,
requestor_id=APPLICATION_ID)
service.ssl = True
service.debug = True
gdata.alt.appengine.run_on_appengine(service)
lookup_user = service.RetrieveUser(username)
if lookup_user.login.admin == 'true':
res = username + ' is an admin.'
else:
res = username + ' is not an admin.'
self.response.out.write(res)
app = webapp.WSGIApplication([
('/.*', SetupHandler),
], debug=True)
def main():
util.run_wsgi_app(app)
if __name__ == '__main__':
main()
But I get a 401 response ("Unknown authorization header"). I don't know what I'm doing incorrectly or how to debug it further.
Is the manifest entry correct?
Splitting user.email() is ok to get the user's username and domain? (I debugged it and in my case it was: I got 'webmaster' and 'example.com', which was the user and Google Apps domain where the app was installed).
What am I missing?
Edit: For some reason, the admin panel didn't ask permission to grant access to the provided scopes. After I granted it, the code above worked. So take it as a working example!
You don't have to re-add your app for the scopes work, just make sure in your GoogleApps admin dashboard, on the application settings, you "Grant access" and the Data Access is "Granted". Otherwise just grant that access.
Splitting user.email() works like a charm for me, because user.nickname() in localhost testing contains a full email, not like production (where it contains the username).
Make sure the user requesting is an admin.
I met exactly the same problem, which keep giving me:
Unknown authorization header
Error 401
I'm using the free version of Google Apps, is this might be the root cause of this problem? As i know Provisioning API only supports premium account.
Admin apis [provisioning api etc.] are now available to editions of Google Apps.
http://googleappsdeveloper.blogspot.com/2011/12/more-administrative-apis-now-available.html

Resources