Google App Engine: who is an admin? - google-app-engine

In your app.yaml configuration file you can required login: admin. My question is now "what" or "who" is an admin?
In the App Engine console in the Administration -> Permissions section they're also talking about an admin. However, if you add a new user you can only choose between owner, developer and viewer.
Which of those is an admin? Only the owner or owner+developer or all three?

When working with users either on your own apps domain or normal Google users:
Owners can do anything supported by the UI.
Only Owners can make changes on the Permissions tab (invite, change role, remove).
Developers can do anything except changes on the Permissions tab.
Viewers cannot change anything.
Everyone who was an admin before feature went live is initially an Owner. (This is available since version 1.4.2)
All three roles are given admin status when the application runs (i.e., users.is_current_user_admin() returns True).

Related

How to set project owner in Google Cloud Platform

I have created a YouTube API key, but when I try to use it I get an error message that the key is not enabled. When I try to enable the key in the Google Cloud Console, I get the error message:
IAM: you have insufficient permissions to enable or disable services
and APIs for this project. Contact a project owner to request
permissions.
I can't seem to find a way to set the project owner. I created this project myself, so I should be the project owner. I'm not sure if it's relevant, but the account is managed via G-Suite.
Update: per the documentation, I logged on to G-Suite as an administrator and went to Apps > Additional Google services, but "Web & App Activity" is not listed as an option.
Your gsuite admin can activate the API or remove a restriction on it.
To add an owner for a project, first select the project in the dropdown at the top of the screen. Then go to "IAM and Admin" in the navigation bar, then go to the IAM page. Click on "Add" at the top, and then you can add Project->Owner.
It can be confusing because even if somebody is an organization administrator, they aren't necessarily the owner of a project yet.

Is admin consent required in a native app using Directory.AccessAsUser.All?

According to this page, admin consent should not be required for a native app using Directory.AccessAsUser.All
As a side note, for native applications, this permission behaves like a User permission instead. A native app does not have an identity per se, and it is already doing the direct user’s bidding anyway. It stands to reason that the app should be able to do what the user is able to do, just as happens on-premises when a classic native client (say Word or Excel) can or cannot open a document from a network share depending on whether the user has the correct permissions on that folder.
I'm not seeing this in practice. The "API Permissions" page in Azure portal warns me that admin consent will be required, and users attempting to sign in using my app also get told that admin consent is required.
I haven't provided a Web redirect URL, just checked https://login.microsoftonline.com/common/oauth2/nativeclient under the Public Clients section - i'd expect this to be enough for admin consent not to be required, but it doesn't seem to be the case.
Is the doc above wrong, or am I missing something?
That page is wrong, consent framework doesn't allow a permission to be Admin/User.
If it is marked Admin, it requires admin consent.
That may have been right in the past though.

Adding custom domain member as owner in project - GAE

I am trying to add my client as owner on my Google Cloud Console Project, but I am getting the following error: An email address does not belong to an active account
Here I create Google account for him(related to his custom domain), but I also found difficulties in granting him as the owner of the project.
You will have to register an account at google developer with your non-gmail address first. And then go to Permissions in the Google Developers Console, add a Member with the non-gmail account as owner. After that you will be able to select the non-gmail email address in Consent screen Link
You can add a user to your project using the Google Cloud Platform Console. When you add a user to your Google Compute Engine project, it gives the user some amount of access to Google Compute Engine resources in that project, determined by the roles such as viewer, editor, or owner. For example, if you add a user as an owner, they will be able to add and modify Google Compute Engine resources in the project, connect to the project's instances using SSH, and change the project's membership.
To add or delete users, or to change their permissions:
Go to the Permissions page in the console.
To add a new team member, click the Add Member button.
To delete a team member, check the box next to their account and click Remove.
To change a user's permissions, select a different role in the Permission column.
You can choose from these three user roles:
Can View - provide READ access
Can Edit - provides "Can View" access
Is Owner - provides "Can Edit" access
For more information check Managing your project's users, and this SO question.

Not able to revoke GAE app from Google account security permissions

My initial version uses the built-in GAE Users Service for application login/registration.
However, I was not able to revoke the app's permissions from my Google account settings.
https://security.google.com/settings/security/permissions
Google has updated the dashboard.
I think they missed a feature to allow users to revoke GAE apps permissions.
Can someone help me verify this?
If you are talking about this [1] built-in service, your app have access to the user's email address as well as a unique user ID only while the user is signed into your app. So there is no permanent permissions to be revoked.
[1] https://cloud.google.com/appengine/docs/python/users/

Serve GAE app from a custom domain?

I have a GAE project (myproject.appspot.com) which I'd like to serve from a custom domain (myapp.com).
I have added the custom domain to my Google Apps account for my company (example.com)
On my dashboard I have successfully added my domain. This is confirmed; it says myapp.com - Active
Following Google's instructions, I perform step 3 (click "Add Domain"), which attempts to log me in using my normal admin account:
Problem #1, it won't let me perform this step:
You are trying to access Google Admin of myapp.com but you do not have a valid logged in account for it.
I have successfully performed step 4 (Activate this service), and my app appears under "App Engine Apps" for my company.
This page displays: Web address — Your users can access MYPROJECT at: https://myproject.appspot.com — Add new URL
I then click on "Add new URL", which offers me a chance to select a domain from a pulldown list that includes all the domains I own on this account (i.e. both example.com and myapp.com).
Problem #2, it won't let me perform this step. I choose http://myapp.com and click [Add]. When I do this, I get an alert in a red popup box that says The term 'myapp.com' is not allowed. The single quotes are unescaped and appear as "'"
I can successfully add the URL for my company domain (example.com) just fine. But it throws an error/alert if I select myapp.com instead.
Why is Google Apps preventing me from using this domain? I clearly own it, and it appears on
the pulldown menu. Why does it say "the term" is not allowed, as if it's a typo? Is this a bug in parsing the unescaped quote characters?
I found a great (and very obscure) solution.
First of all, Google doesn't tell you this, but the custom domain cannot be a secondary domain on your Google Apps account. Only the primary domain can be selected for "Add new URL."
There are two solutions. One is to add the second domain (myapp.com) to your Google Apps account as a domain alias for the primary (example.com), not a secondary domain. This may not be acceptable for many users, since it means you cannot use myapp.com to deliver different content from example.com.
The second solution is to create an entirely independent, separate Google Apps account, and make your domain (myapp.com) a primary domain for that account. This too may not be acceptable for many users, since you may not feel like paying for a Google Apps account (minimum of $50 per user per year). However, there is a very cool way to get a Google Apps account for free.
You can create an independent Google Apps account with exactly 1 user, and then delete Google Apps for that user. This sounds weird, but stay with me. The superuser account remains, so you can administer the domain and the App Engine app. What you give up are the paid services: gmail,docs,calendar, etc. for that user, which means you're not obliged to pay the $50/year.
Here's the recipe. You will need:
a) a Google User account (e.g. joe#myapp.com created at http://gmail.com)
b) an App Engine account (e.g. http://appengine.google.com)
c) a Google Apps account (e.g. http://admin.google.com/myapp.com)
Create your Google Apps account, you will get a free 30-day trial.
Make sure your user (a) is an owner of the app engine project (b).
Make sure you add your app engine project (b) to your Apps account (c).
Under "Admin Console / More controls / App Engine Apps" ("add services", click icon in upper right corner)
Here's where you delete the paid services and keep the Apps account for free:
In the admin console, choose Company Profile / Profile.
Scroll all the way down to Account Deletion. Look for the text "One or more subscriptions are still active. Please cancel these subscriptions "
Click "subscriptions".
Click "Google Apps".
Click "Cancel Google Apps" (It's the ⃠ icon on the extreme right side of page)
This will delete the paid services (gmail,docs,cal, etc.) so you will no longer have access to any of those. Gmail will not handle any email sent to joe#myapp.com. You will need to set up the MX records for myapp.com to point to some other service if you want to enable email for the myapp.com domain. But you will have the myapp.com domain associated with your Apps account and with your App Engine app, for free, and you will be able to log in as joe#myapp.com to administer them both.
At some point, if you change your mind and decide you want Gmail for your users, you are always welcome to add the Google Apps service back on, and of course purchase licenses for $50/user/year.
You need to add the GAE app from your Google Apps for Domain account. There is a form where you can add an appengine app to your Google Apps account, but it's not in your GAE account, it's in your Google Apps account.

Resources