I believe there is an undocumented Google API available to create and manage Google Cloud Console (and App Engine) projects on behalf of third party users.
Does anyone know how to use it?
I think older versions of the Google Eclipse Plugin obtained an OAuth2 token in the (undocumented) scope https://www.googleapis.com/auth/appengine.admin, and this allowed it to generate a Cloud Console project on your behalf. The latest version doesn't seem to do this. App Engine's own appcfg.py also uses this scope, but doesn't seem to do much more than deploy the code - I'm looking to change core settings for the project, such as Name, Redirect URLs, and Web Origins.
Any information would be appreciated.
I maintain a WordPress plugin providing secure Google Apps Login for end users, and currently have to give detailed instructions to admins for creating a new Cloud Console project manually, and entering settings such as Redirect URL. Ideally, I would create a simple on-line service to do all of this for them.
Thank you!
It is possible to programmatically create a new Developer Console project on behalf of a Google Account (yes, you read that right). You do so in a very roundabout way:
Request the https://www.googleapis.com/auth/drive.scripts scope from the user (standard OAuth 2.0 flow).
Use the Drive API's drive.insert method to create a new file with a mimetype of application/vnd.google-apps.script.
Somehow try to get the project ID, maybe by uploading some Apps Script code? This is the part that I was never able to figure out.
A little known fact is that every Google Apps Script project has a hidden Developer Console project associated with it. This project is not shown in the list of projects, but it does exist. It is created automatically when the user starts a new Apps Script project, and the drive.insert method is enough to cause this to happen.
How do you get to the hidden project? Well, the only way I know of is to open the Apps Script project from the Drive website, open the "Resources > Advanced Google Services" dialog, and click the link to the Developer Console. You'll find the project ID in the URL.
Aside from not being shown in your list of projects and not being able to use App Engine, this is a normal Developer Console project. You can add additional OAuth client credentials, service accounts, Compute Engine instances, etc. And of course once you have a project ID, all of the various management APIs will work: creating new virtual machines, making use of a service account's impersonation ability, etc.
Related
I have an ASP.NET Core web application hosted on the GoogleCloud App Engine.
The application has a function that creates and displays a PDF.
Locally it works, however in the GCP it is giving permission denied according to the image:
enter image description here
Can someone please help me?
I will post my comment as an answer, as it is too long for the comment field.
“Permission Denied” errors typically mean the caller doesn't have the right Google Cloud IAM permission on certain resources.
When developing for GAE you have to check whether the libraries you are utilizing within your ASP.NET app are compatible with GAE and additionally authorize the requests performed to GAE.
Does the pdf document get stored in a Database? If yes, does your application have all permissions required to read and write files to the Database?
Could you please specify your configurations, as well as provide the .yaml file and the corresponding code of your application for further clarifications?
Known issue:
Installing google-cloud-sdk (linux package or from tarball) has a quirk where you cannot create projects from the command line before accepting the terms of service.
Steps to reproduce:
Download sdk, untar, move folder to home directory and add google sdk root directory to PATH using install.sh
Initialize and login with: $ google init
Create a project from the CL: $ gcloud projects create --set-as-default
This will spit out an error like:
ERROR: (gcloud.projects.create) Operation [cp.5641973328385684887] failed: 9: Callers must accept Terms of Service
I hazard a guess that accepting the terms of service have not been built into the command line initialization yet. Omitting such a fundamental step to an installation process should be illegal, with consequences ranging from death by a thousand key-stokes, to 'build an operating system in headfuck'... but that's just me...
We find the solution in the most unholiest of places: the google cloud control interface (cloud console).
Go to your cloud console
Create a project by selecting 'select a project' (top-left next to "Google Cloud Platform" and then 'create project' (top-right in the popup window).
This will prompt the terms of service agreement and you may carry on after agreeing to the terms of service.
I hope this helps whoever else stumbles upon this most infuriating of errors.
Live long and prosper
Bitshift
Let's not be so dramatic with "death by a thousand key-strokes". This is a security measure that should be implemented. Security is not always convenient but can save your checking/credit account a lot of grief.
Imagine this theoretical scenario. You provide me with a service account that has the roles to create a project. I create a new project. This project is created under your Google Billing Account. I know what I am doing with Google IAM so I remove you from the new project and make myself the Project Owner. Now you have no access to the new project but your credit card is paying the bills for my project. I think you would then be screaming "death by a million key-strokes".
There are two types of projects:
Independent projects not part of an organization.
Projects that are part of an organization.
If you are part of a Google Cloud Organization, you can easily create projects up to your quota limit (default is 5). No prompting, accepting TOS, etc. Using the CLI to create a new project is effortless.
If you are not part of an Google Cloud Organization then you are basically creating a new account, you need to set up account billing, accept terms of service, etc. This means that you should not use the CLI to create a new project as the CLI does not prompt you for the items that a new project requires. Why, the CLI should be using a service account. The service account is not the IAM member that owns the account. This forces you to log into the Google Cloud Console using your User Credentials to create the new project.
For anyone getting this message when trying to create a dialogflow agent:
Go to https://console.cloud.google.com, login and accept the displayed terms and conditions.
Afterwards it worked for me...
My goal is to run a google app engine application with the minimal amount of access to resources it needs. In my case the application will access the datastorage in the project (this is the golang example tutorial using the source code git checkout origin/part4-usingdatastore from https://github.com/GoogleCloudPlatform/appengine-guestbook-go.git)
I did the following
Create a new project, foobarproject3
Created a new app in the project (using golang)
In the project IAM/IAM noticed the
foobarproject3#appspot.gserviceaccount.com, assumed this is the service account, so changed it's role to just BigQuery User. Notice that no Datastorage roles are configured (The UI forces me to provide access to something so I chose BQ)
Followed the tutorial instructions for the using datastore golang app (guestbook application)and deployed the app.
Opened the link to my app: https://foobarproject3.appspot.com/ It failed (this is great, this is what I expected, since the service account does not give the app permissions to read/write datastorage)
Refreshed https://foobarproject3.appspot.com/ and it started to work
There is something basic that I'm not understanding about service account from app engine. Isn't the app engine using these service account to access project resources? Why is the app getting access to datastorage when the service account does not have a policy that would allow access to datastorage?
"My goal is to run a google app engine application with the minimal amount of access to resources it needs."
This is dicey to unpack without more context. What is it that you're trying to achieve that goes beyond App Engine's default behavior?
My experience is that if one starts changing roles without understanding the basics, things go sideways (or South, or West, or Pear-shaped, depending on where you are). So I suspect you shot yourself in the foot in your third bullet.
When you access your app from the browser you are using your own user credentials, not the app's service account. And your user credentials might be exactly the app owner/admin ones, if you created the app using those credentials. See, for example, app.yaml handler login: admin option not effective on standard env python GAE app?
Make sure you log out from the app, or try accessing the app from an incognito browser window or by using a dumb(er) utility to prevent accidental/undesired credential leaking.
The app's service account is for your app to identify itself when it's interacting with other services/apps. From Understanding Service Accounts:
A service account is a special type of Google account that belongs to
your application or a virtual machine (VM), instead of to an
individual end user. Your application assumes the identity of the
service account to call Google APIs, so that the users aren't
directly involved. A service account can have zero or more pairs of
service account keys, which are used to authenticate to Google.
I have an app on GAE in which I'm using the Google Directory API for retrieving organization units and users. I am wondering if this API or any other have the option to update the extension force install list. Currently it's done by copying links and IDs to the Google Admin Console, but I am looking for a solution (if one even exists) to have this feature implemented directly in my application.
Thanks!
I recall seeing an option on the google app engine admin page that would allow me to duplicate/copy a deployment to a different appid. Was I imagining this? I do have a copy of all the files needed for deployment but I do not currently have access to a computer with admin privileges in order to install the GAE SDK.
Not relevant to this question, but FYI I need to do this simply because there is a major bug that's preventing me from logging in to a particular part of the admin interface and google tech support has failed to resolve the issue, so I'm just trying a workaround.
Copy old settings to new app via the admin console admin>application settings>Duplicate Application Settings. (you'll choose new appid here too)
Then upload a version of your code to the new appId (so you'll need gae sdk or use online sdk devtable).
Then go to datastore admin in the old app, select all the entities and choose "copy to another app" You'll need datastore admin to be enabled on the old app (and new app I think).