I'm trying to use a 3rd party app that requires gce_client_id and gce_client_secret keys. In order to generate them, I browsed to the Credentials icon and tried to create an OAuth 2.0 Client ID. However, the system offers me 7 different types of apps but none of them fits the app profile. The app is supposed to be run from a gce VM and spin up other gce VMs so it really has nothing to do with web apps or similar. Am I doing this right or is there any other way to generate the gce id and server keys? Thanks.
P.S. I tried using the keys generated using the option: "Desktop app" but it's producing the following error:
ERROR Error creating instance <HttpError 403 when requesting https://compute.googleapis.com/compute/v1/projects/watchful-origin-244417/zones/us-central1-a/instances?alt=json returned "Request had insufficient authentication scopes.">
2020-08-10 18:08:11 deployator0002 elasticluster[3768] ERROR Could not start node compute002: Error creating instance <HttpError 403 when requesting https://compute.googleapis.com/compute/v1/projects/watchful-origin-244417/zones/us-central1-a/instances?alt=json returned "Request had insufficient authentication scopes."> -- <class 'elasticluster.exceptions.InstanceError'>
Firstly, this post has nothing to do with elasticsearch as that app is totally unrelated to elasticluster which is the app of interest (probably no need to change the original tags). The fact is that Google changed the options for OAuth 2.0 and eliminated the 'Other' option from its list of app types. That was the origin of the issue and the developer is already aware of it. Thanks.
Related
I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.
"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"
For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!
I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.
Thanks #John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.
I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.
Description of the other problem:
I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."
At the Console in Dev Tools I get the following error:
GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403
The following url is displayed in the URL bar:
https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web
mykey and myserver were removed for this post and is not the actual values.
Email/password sign-in works, but not the Google sign-in. What am I missing here?
I have implemented Smart home actions as per documentation, i have enabled Home graph api,
i got agentUserId from Google Oauth playground, but when i submit agentUserId and service account key in test suite its returns an Error 404 msg:
Failed to get device list from HomeGraph: Requested entity was not found.
I am able to operate my devices from google home app, but not able to test with test suite.
I am looking for possible reasons.
I encountered this today, and was confused as nothing was even trying to contact my server. I had been using the test tool successfully beforehand, so I knew my agentUserId was correct, that HomeGraph API was enabled and my service account was correct. It turned out that I was not currently linked to my Google Home app on my mobile with the same user at the time I was trying to run the test tool. I had unlinked it, therefore the agentUserId was not found on Google's side.
To summarise:
On your mobile link to your test Action
Make sure this is the same user account which you have the agentUserId from - ideally capture a log of your SYNC output and compare
Verify your service account's key in the JSON file you upload is listed in the list of "private_key_id"s in your service account
Try the test tool again whilst you are still linked on your mobile
I am using Google's login API for a project that needs to be internal to my organization. When I tested to see what happens if I try to login with an account that is not part of that organization, this error showed up:
Error message image on https://i.stack.imgur.com/bnXNw.png
This error shows the client id provided by my API panel on my developer account.
Is showing that information safe? If not, what could I do to hide it?
Thank you in advance!
The client identifier [1] and everything else on the error page is not considered a secret. The error message has two uses: to lock your app down for internal usage and to allow users to use that information to escalate to you, the developer, or their admin that they need access to a particular app if they have a legitimate need for it. For the latter, it is important for users to be able to identify apps, typically using the client ID.
[1] https://www.rfc-editor.org/rfc/rfc6749#section-2.2
We have an application hosted in GCP which uses GSuite APIs to sync users from GSuite to our application and visa-versa using Service Account. It used to work well until recently some of our customers started facing issues.
We started getting
401 unauthorized. "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There as been no change in our application and neither in the list of permissions granted. Following are the list of api access granted :-
https://apps-apis.google.com/a/feeds/domain,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.orgunit,
https://www.googleapis.com/auth/admin.directory.user,**
https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/drive.metadata,
https://www.googleapis.com/auth/drive.metadata.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,
https://www.googleapis.com/auth/admin.directory.rolemanagement,
https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,
https://www.googleapis.com/auth/admin.directory.device.chromeos,
https://www.googleapis.com/auth/drive.apps.readonly,
https://www.googleapis.com/auth/drive.photos.readonly,
https://www.googleapis.com/auth/drive.scripts
The affected GSuite domains were working perfectly until yesterday. Also there are some domains which still work without any problem.
Can somebody please suggest what could the problem be. Is there any change in the APIs recently? Any help will be much appreciated.
"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
There are several ways to authenticate to Google.
web based applications
native applications
mobile applications
and service accounts
The clients you create for these types is different as is the code to use them. The message you are seeing above means that the code you are using does not match the type of client you have created.
Make sure your code is designed for use with service accounts and make sure that the credentials file you have downloaded from google developer console is in fact credentials for a service accounts.
Why it worked previously and suddenly stopped i cant tell you this is an error you will always get if your code does not match your credential type.
The last option would be to double check that all of those apis are enabled in the Google developer console for your service account project.
Hi I am trying to start remote GAE shell with
python $GAE_SDK_ROOT/remote_api_shell.py -s your_app_id.appspot.com
"You don't need any additional authentication" says the GAE RemoteAPI page,
yet my command fails miserably with HTTP Error 401: Unauthorized Too many auth attempts.
I think I was able to do start it (with various degree of success for different apps) in some remote past, either with gmail credentials or some auth key from google cloud.
Please share your hints, or, ideally, drop a link to easy to follow step by step guide.
Also I cannot access Datastore Admin for that project
in online console
, if I click It invites to sing in, which fails. Recently, I got owner role, yet project was created by a person with a different email domain.