In the commercetools JVM SDK class SphereClient is no way to access the access token of the client, how can I achieve this?
No, it is not possible, buy you can use the class TokensFacade to obtain another, fresh generated, access token.
Related
I have a service in Google Cloud App engine, which is behind IAP.
It is accessible only to users within my organisation.
I need to make a few endpoints of this service accessible for all users.
Is it possible to achieve?
I have found an instruction, which says that it is possible, but it also says: The allUsers and allAuthenticatedUsers values are unsupported member types in a conditional role binding. If you specify one of these member types, the setIamPolicy operation will fail.
Which is not clear for me and a bit confusing.
A small example:
My service has an url https://google-cloud-app-engine-service.com
And I want to make only one endpoint of this service available to everyone:
https://google-cloud-app-engine-service.com/public_endpoint.
Thank you!
You can't white list URL path with IAP. The finest grain is the service. I mean, you can activate IAP on AppEngine. Then, for the service that you want you can select it, go to the info panel and add allUsers or allAuthenticatedUsers with the role IAP-secured web app user
You have several alternatives
Manage the security by yourselves and don't use IAP (which is not a good idea)
Use Cloud Endpoint in front of your AppEngine. I wrote an article on this for securing with APIKey, but you can change the security definition is you want. The problem is that you have to define all your API in the Cloud Endpoint, and you have an additional component in your stack
Use 2 services (if possible). Set one public and the other protected by IAP.
As #guillaume-blaquiere suggested in his answer, I split my app engine service by two independent services and made the first one only accessible from within my organization and the second one to everyone using IAP.
I have an API that a user can query for data after that user authenticates against an OAuth2 provider that I maintain (i.e. not Google). Is it possible to expose data through this API to Google's Data Studio using a Community Connector? If yes, is it possible to use the setup outlined here https://github.com/gsuitedevs/apps-script-oauth2#setup against a non-Google OAuth2 provider? Thank you for your help!
I have not found any requisite to expose data through an API. So I expect that it is possible, but take into account the specific configuration requested when implementing it.
The setup outlined there is not official so you will need to test it unless someone has done it already or has enough time for it. The post is really detailed and has work behind, so I would give it a chance!
I'm wondering if I can configure a GAE Flexible "service" to use a specific service account ID instead of the default service account ID, which all services run as.
Why? I want to isolate each service's permissions, but also simplify the service code by allowing it to still use the Application Default credentials method of calling Google APIs.
Is there an app.yaml configuration/environment variable where I can control this?
I didn't see the answer here https://cloud.google.com/appengine/docs/flexible/java/migrating
or
https://cloud.google.com/appengine/docs/flexible/java/authorizing-apps
I also found this https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using which tells me how to do what I want at the compute engine level, but I don't see how to apply it at the GAE Flex managed level.
If this is not possible, what is the next best alternative?
This isn't possible at the moment. The best way to go forward with this would be to open a feature request here.
I have a google app engine application which needs to be given a public-private key pair. I don't want to check this into source control because it will be accessible by too many people. Since this is GAE I can't use the build system to write the keys to the file system of the server.
Is there a known best practice for this?
My first thought was does Jenkins provide a way to manage keys securely? I know I can just copy the keys to a location on the jenkins server and copy them into the build but this project will be used by third party teams so I need to provide a UI based solution in jenkins. I did not find any relevant plugin but I would like to make sure there isn't a better way before writing my own.
There are of course several approaches to this. I believe certificates are a concern of admins, not developers.
What we do is have custom admin pages where we upload certificates to blobstore under separate namespace. Then we have an internal "service" (just a simple factory) so that other pieces of code can retrieve certs.
If you are happy to use a cloud based Jenkins, we (CloudBees) have an oauth based solution at appengine.cloudbees.com
You could roll your own. It is not excessively tricky. You will need to
Register with google's api console to get a client key and secret and define the endpoints that your app will show up as
Write some way if feeding those credentials to your Jenkins build. I would recommend using the credentials plugin
Either write a build wrapper that exposes the refresh token to your build (python sdk deployment) or exposes the access token (java sdk... Got to love that the two sdks do the same thing in different ways)
Or use our free service ;-)
If I want to deploy anything on Google Apps, I'll have to create an application in Google App Engine, is that right? Is there a way to use FTP like in other web hosting services?
If I have myapp in GAE, and I already let myownsite.com to use this app. But I don't want anyone else to use this app on myapp.appspot.com, how can I do it?
Thanks in advance!
Perhaps not the best solution, but you can use self.request.headers["HOST"] in your handler to see which domain the request was requested to and redirect the user based on that.
You will need to upload your application. There is no FTP access for that as far as I know, but the GAE SDK contains a commandline tool to do that. You can also do it from IDE.
There is always an associated myapp.appspot.com domain with your application, so no one will take it. But you can also use your own domain (but not for SSL!). But you cannot also block access through myapp.appspot.com, but in Java you can create a filter that will redirect all requests to your custom domain. And keep in mind you cannot use naked domains (without www) in GAE.