Here's the situation: I have successfully set up email to come from a custom domain on App Engine before, but that was always done through the Google Apps for Business set up process. This time I have added the custom domain through the new developers console instead (https://console.developers.google.com/project/[APP_ID]/appengine/settings/domains) and now I'm getting the "unauthorized sender" error every time.
I've tried a lot of variations on the set up process, checked for typos or other potential bugs repeatedly, and scoured both the docs and Stack Overflow without finding an answer. Most of the docs and answers that come up seem woefully out of date. The docs hardly ever reference the new developer console or the fact that Google Apps for Business doesn't have a free tier any more. And most of the answers seem to ignore the fact that the docs (https://cloud.google.com/appengine/docs/python/mail/sendingmail) explicitly state that "Domain accounts do not need to be explicitly verified, since you will have verified the domain during the registration process."
So has anyone actually gotten domain accounts to work with the new process? Do I have to modify DNS records? DKIM? Something else I'm missing? Any insight would be much appreciated.
As stated in the docs:
For security purposes, the sender address of a message must be the
email address of an administrator for the application or any valid
email receiving address for the app (see Receiving Mail). The sender
can also be the Google Account email address of the current user who
is signed in, if the user's account is a Gmail account or is on a
domain managed by Google Apps.
So only logged in Google accounts or admin (owners in the new console) addresses can be used to send emails through GAE. If you want to use a set of custom domain addresses you can either:
1) Add and validate all those addresses as owners in the project's "permissions" settings.
2) Use as external party to send your emails through a Web API, EG Sendgrid which gives you 25.000 emails/month for free for GAE developers (https://cloud.google.com/appengine/docs/python/mail/sendgrid)
Related
My company owns several (verified) facilities and using my company's email i can see those locations (business.google.com).
Now, my company would like to fetch the reviews in each location and present it in our company website. Before we're using the Google Place API but since it only returns the latest 5 reviews we opt to using Google My Business API to retrieve a location's complete reviews. We'd like our backend (PHP) to retrieve the reviews so using the same email I created a service account (console.developers.google.com/apis/credentials) because we don't need the end user to allow/interact anything when browsing our website.
Using postman (with my signed JWT) I have managed to get a valid access token
...that I use to retrieve the lists of accounts (mybusinessaccountmanagement.googleapis.com/v1/accounts) I could see the service account itself alone in the response.
Now, I tried calling the account locations api (mybusiness.googleapis.com/v4/accounts/{MY_ACCOUNT_ID_HERE}/locations) but it only returns and empty object response.
Can someone help me resolve this issue. Why my service account can't see the verified locations under my company's email. Is this even possible? Thank you.
Even that this is an older question - I run into the same issue calling the new Google My Business Information v1 API (getting empty results) using a service account.
It seems, that it is not recommended to use Service Accounts, I found this support article on Google: https://support.google.com/business/thread/8281160/cannot-get-access-to-gmb-locations-with-service-account-with-nodejs?hl=en
The "official" recommendation is to use OAuth.
But we finally made it using Service Account. The following steps are necessary to resolve it (at least for us it is working now):
Add a project in Google Cloud Platform
Add and enable the Account Management and Business Information API's.
Add the service account and generate a key (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
Make the Business Profile API request (you need the approval made by Google to be able to make requests against the two API's; otherwise you may run into quota exceeds as "Request per minute" is set to 0 by default). Important: It may take up to 2 weeks until, but we received the approval within about 5 days
Enable domain-wide delegation for the service account using the scope "https://www.googleapis.com/auth/business.manage". More about domain-wide-delegation: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
Add a user identity in GCP. This user also needs to be added in Google My Business for editing locations. When creating your ServiceAccountCredential object, impersonate this user.
Security concerns:
Domain-wide-delegation enables that everyone knowing/having the credentials of the service account could impersonate any person (identity) from withing GCP. At least in this case only for Business Profile API, but anyway, keep this in mind.
Also using private keys for authenticating the service account is not recommended, you should be aware to regularly change / create a new private key or there would be a solution with Identity Workload.
Hope this helps everyone facing the challenge with GMB / GCP / service accounts :-)
I'm trying to send an email using the java api. I've got my app running live, no custom domain, in fact it's just a default project. Billing is not enabled. My app name is 'testapp'.
I'm using this email address for the sender:
admin#testapp.appspotmail.com
That seems to be ok if I'm reading the docs correctly (criteria #2):
For security purposes, the sender address of a message must be one of the following:
The Gmail or Google Apps Account of the user who is currently signed in
Any email address of the form anything#appname.appspotmail.com or anything#appalias.appspotmail.com
Any email address listed in the Cloud Platform Console under Email API Authorized Senders
The email was sent successfully twice, but now it has stopped working (same sender address, same recipient address). Nothing appears in the recipient's spam.
I can see in the quota page that the # of emails-sent keeps incrementing. But nothing is actually going through.
What am I missing?
Thanks
This is a known issue that is currently being tracked on the App Engine public issue tracker. Please feel free to star this issue for updates.
What I have done:
I have added my domain app.mydomain.com to my app engine project, and can successfully visit id.appspot.com using app.mydomain.com.
I have registered mydomain.com on google app for business.
The problem:
The problem is -- I am NOT able to send emails using #mydomain.com address. If I register an info#mydomain.com as an developer, this will probably solve the problem, but we need to send from more than one address, and I don't think registering a new developer for each address is reasonable.
Anybody knows how to solve this? Thanks!
You have two options:
Register all emails that you want to use as administrators/developers but as you mentioned in your post you don't want to do that.
Use SendGrid (or any other email services like Mandrill, Mailgun, etc.) which will give you a lot more features comparing to what GAE offers, including 25k free emails instead of GAE's 100.
According to the docs, the sender would need to be an administrator on the project (called "owner" in the new Developers Console). Another route would be to just use a separate email sending service like SendGrid or Postmark.
You can use the GMail API to send emails as users of your domain. Note that the emails need to be aliases, groups or users of your domain.
You shouldn't have any problem adding and verifying your domain, adding the necessary permissions to send emails. Then, every email address in your domain can be used. See here in the docs: https://developers.google.com/appengine/docs/java/mail/#Java_Sending_mail
I need to allow a user of my App to email themselves when an even occurs. I am not sure how to do this.
My first idea is to create a dummy gmail account, and have my App sign-in and send from there via java code. This means hardcoding the password BUT as account not used for anything other than one way emailing - it does not seem to be a problem.
However, I understand that google is pretty proactive about security and if my App (which is global) tries to log into same account in several different countries during a 24 hour period - it will block the email.
I have seen the "delegate" functionality, but that would mean that each user needs their own gmail account which is not practical.
Is there a way to force gmail to allow the sign-ins to happen from wherever?
Or is there a better approach to this problem?
probably not a good idea to have your app to mail from a private account, if I understand you correctly. Best to use email service like http://expresspigeon.com or http://sendgrid.com and simply send a transactional email from your app account. In other words, use an ESP.
The safest would be to ask the user for all the configuration information necessary to access their email server as themself, then send the email as themself to themself. You can use JavaMail to send the message, but you'll need to ask for all the configuration information that any other email application would ask for in order to configure access to their mail server.
There may also be Android-specific ways to do this using the default email application.
As part of my App Engine application, I decided to configure an already-purchased custom domain name that would point to the app. To do this, I was directed to use Google's Apps for Business product.
Unfortunately, verification of the custom domain went bad, which was a surprise, because Google contacted my domain registrar directly. A week passed, and the domain was still listed as undergoing verification.
Is there a way I can restart the process, and hopefully complete it by a different method?
Have a look at this page:
http://support.google.com/a/bin/answer.py?answer=96917
Click on the first radio button ("I'm receiving the message 'This domain is already in use.'")
Toward the bottom of the page, there will be a URL template:
https://www.google.com/a/cpanel/<your domain name>/VerifyAdminAccountPasswordReset
Sign into your Google Apps account, then substitute your domain name in the above URL-template where indicated.
When you visit the resulting URL, Google will ask you for an email address. You will then get an email supplying data values for a new CNAME record you can add at your domain-registrar's website. If you do that correctly, Google will then consider your custom domain as verified.