I am trying to use the Google Prediction API for the first time.
I am just following the steps given in the article https://developers.google.com/appengine/articles/prediction_service_accounts.
I am getting a strange problem while executing step 2.4 in the above mentioned article.
I have followed the steps as below.
1) I have an application created in say xyz.com domain, and I have service account name of my application as "myapp#appspot.gserviceaccount.com".
2) Then I went to "Team" tab on the Google API Console, and tried to add the service account name of my application, to the project in which I have activated Prediction API and Google Cloud Storage.
While adding the serivce account to the project it gives me an error saying that
"Only users in domain xyz.com may be added to the project".
The same kind of message is also displayed on the bottom of the "Team" tab.
xyz.com is the domain in wich my application is deployed.
Could any one please help me understand why this kind of message is comming?
Are there any domain level admin settings required to add the service account to the Google Console API project?
Regards,
Nirzari
Currently, if you created a project with your Apps account, you can only add members of that same domain.
What you'll have to do is create a new project from something like xxx#gmail.com account (NOT your Apps domain account). You can then add both #appspot.gserviceaccount.com and yourself#xyz.com.
I think you can even remove xxx#gmail.com later on, once you've added yourself#xyz.com. Even activate billing for yourself#xyz.com, not xxx#gmail.com, if you need to.
Take from https://developers.google.com/appengine/docs/python/googlestorage/overview
You can modify the ACL of the bucket manually:
An alternate way to grant app access to a bucket is manually edit and set the bucket ACL and the default object ACL, using the gsutil utility:
Get the ACL for the bucket and save it to a file for editing: gsutil getacl gs://mybucket > myAcl.txt
Add the following Entry to the ACL file you just retrieved:
<Entry>
<Scope type="UserByEmail">
<EmailAddress>
your-application-id#appspot.gserviceaccount.com
</EmailAddress>
</Scope>
<Permission>
WRITE
</Permission>
</Entry>
If you are adding multiple apps to the ACL, repeat the above entry
for each app, changing only the email address to reflect each app's
service name.
Set the modified ACL on your bucket: gsutil setacl myAcl.txt gs://mybucket
Related
Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.
It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error:
You don't have permission to view API keys, OAuth clients, and service account keys.
Roles/Permissions:
-App Engine Admin
-Cloud Functions Developer
-Cloud Datastore Owner
-Service Account Admin
-Source Repository Administrator
-Storage Admin
So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.
I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:
"Custom API"
container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
serviceusage.apiKeys.create
serviceusage.apiKeys.delete
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert
serviceusage.apiKeys.update
"Custom Client Auth"
clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.
You can go to the roles page:
https://console.cloud.google.com/iam-admin/roles?project=[your-project-id]
And there you can filter for the permission you need:
Now you can see in the list all the roles include the permission you need, and you can return to the IAM page:
https://console.cloud.google.com/iam-admin/iam?project=[your-project-id]
And select one of those rules:
My App engine is running in project-1. I want to access the BQ present in project-2. How can i make app engine in project-1 access the BQ present in project-2?
You should request "can view" (or "can edit") permissions on the dataset of your interest. Owner of project-2 (or respective dataset) will be able to do so.
You don't need to be present on project level and in some cases it is not even appropriate - but you must have appropriate permissions on dataset level
If, by chance, you are the owner of project-2 or respective dataset - you can easily do this by following below instructions
https://cloud.google.com/bigquery/bigquery-web-ui#sharedataset
The easiest way to accomplish this is to add the default service account of "project-1" to the permissions list of "project-2":
within the cloud console go to the permissions section of project-1
select the service accounts sub tab
look for the default service account (or create a new one)
add the service account to the permissions of project-2
EDIT
You need to create your client in a fashion that uses the applications default service account. For example if you're using python it would look something like:
# Grab the application's default credentials from the environment.
credentials = GoogleCredentials.get_application_default()
# Construct the service object for interacting with the BigQuery API.
bigquery_service = build('bigquery', 'v2', credentials=credentials)
Now with your PK file you can launch the dev appserver in a fashion that the same client client will work correctly: Unable to access BigQuery from local App Engine development server
Im having trouble with Google App Engine and using my own domain. I have a domain that i'm also using in Google Apps for Work.
I have connected my GAE project in Google Apps so they are linked.
I have added my custom domain in GAE, verified ownership and it seems to be correct.
Here is a picture of the GAE settings.
And on Google Apps for work.
The other setting I know I have to do is on my domain registrar. I have added the records from GAE, from the picture I uploaded.
Im using one.com as a domain registrar and my DNS settings look like this:
Am I doing something wrong that you can see directly like "Hey what's this guy doing lol" or does it seem correct at first sight?
Thankful for any help in the right direction.
#
EDIT:
After following the tip from comment, I have verified and mapped the domain "lkpgpremiumcars.com". And added "beta" as subdomain. My "Custom domains" looks the same (like below):
I also removed A and AAAA-records and added a CNAME.
Waiting for DNS update to see if it works.
EDIT 2:
Still dont work.
BTW is it normal behavior that if I select the same subdomain again it says this:
Or is is just because it already points to this app?
You'll need to add this as a sub-domain.
First remove the custom domain (beta.lkpgpremiumcars.com) from the developers console.
Remove the A and AAAA records that you've added to the DNS.
Follow the instructions here and on step 1, only add the domain 'lkpgpremiumcars.com' and verify. This doesn't mean you're pointing the naked domain to your application.
Once it's verified, refresh the page and now you should have the domain available on step 2.
Select the second option on step 2, put 'beta' on the text box and select the previously added domain from the drop down beside. Click Add.
Go back to your DNS settings and add a CNAME record for 'beta' pointing to 'ghs.googlehosted.com.
Allow some time for propagation and it should work!
I've created several GAE applications but failed to retrieve "Service Account Name" - there is no gserviceaccount mail on a 'Application Settings' page. My goal is to add service accounts of those applications to a list of members of the main application with edit permissions.I've tried to add account to a list of members of main project just by following pattern <appId>#appspot.gserviceaccount.com but it failed with following error "The email account you invited is not a valid Google account".My second idea was to create service account member on non-main project first following same pattern it didn't lead to an error but it has a following status "Invitation sent. Waiting for response".Have no idea how to fix it. I would greatly appreciate any help.Just for your notice: main application has billing enabled and has generated service account. Non-main applications have default version deployed and marked as "running".
Services account are always created by default when you create a new project in the Google Cloud Platform.
So there's no need for you to add them or re-create them in your project.
You may find them in the Permissions page under the main project section in the Developers' Console.
Or by using the URL https://console.developers.google.com/project/YOUR_PROJECT_NAME/permissions and using your real project name.
Older apps/projects didn't create service accounts.
Add the service account by
Going to https://console.developers.google.com/project/YOUR_PROJECT_NAME/permissions
Press Add Member
Add this email YOUR_PROJECT_NAME#appspot.gserviceaccount.com
I'm following these instructions on how to set a CORS configuration on a Google Cloud Storage bucket and when I run the gsutil cors set command it returns the following error message:
AccessDeniedException: 403 The account for bucket "[REDACTED]" has been disabled.
For the record, I have access to the bucket. I have owner privileges for this project in the Developer Console. Running gsutil cp and gsutil ls work just fine.
Any ideas on what might be wrong here?
I'm answering my question because I found the solution for this issue. I hope this helps anyone else who runs into this, because at the time there was little info on the web describing to how to solve this.
It turns out that my user account did not have "owner" access to the bucket. Here are the steps I took to grant myself access:
1) First, navigate to your project's Cloud Storage Browser in the Developer Console.
2) Once you see a listing of the buckets that are linked to your project, check the box next to the bucket(s) you'd like to modify the permissions for and then click the "Bucket Permissions" button.
3) Next, add your user account to the list of permitted users. Set the permission level to "owner". Click the "Save" button when you're done.
You should have access to the bucket now, which means you won't run into any 403 errors. If you are, you did not set the entity correctly or are using a different account when you authenticated with gsutil. Double-check your work and try again.
Just providing another tip in case others find themselves in the same situation I did. Make sure to log in with the correct google account using gcloud auth login. This can be a tricky detail if there are multiple Google accounts.