I've generated a Google Cloud API key without restrictions. I'm passing that to the my topic:publish url as a query parameter, but I'm experiencing an authorization error.
{
"error": {
"code": 403,
"message": "User not authorized to perform this action.",
"status": "PERMISSION_DENIED"
}
}
I'm unsure how to diagnose the permission issue, as there don't appear to be any restrictions on the key. The owner of the topic is my account, so shouldn't be an issue there.
Google Pub/Sub does not support API Keys for authorization. Pub/Sub uses Access Tokens. This means using a Service Account or Google OAuth.
Related
I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.
https://xxxx.service-now.com/api/now/v1/table/incident while we're consuming this API in postman we're getting
{
"error": {
"message": "User Not Authenticated",
"detail": "Required to provide Auth information"
},
"status": "failure"
}
Here we are given basic authentication and the JSON input like
{
"short_description":"Creating incident through Request",
"assignment_group":"287ebd7da9fe198100f92cc8d1d2154e",
"urgency":"3",
"impact":"3"
}
It basically says you are not authenticated, it either means you didnt provide correct credentials or you forgot to provide basic-auth header while querying through postman
I think the error message is pretty clear about what the problem is... you're not authenticated. You'll need to authenticate in order to utilize the API. Unless you have a complex authentication scheme going, you can probably use Basic Authentication in PostMan and use the credentials for an account which you know has access to the resource you're trying to access.
I'm writing a Lambda function that queries Google Calendar events. Although I successfully created a credential (client ID, and client secret) on Google Developers Console, I cannot access the events. Error:
{ "error": { "errors": [{ "domain": "usageLimits", "reason": "keyInvalid", "message": "Bad Request" } ], "code": 400, "message": "Bad Request" } }
My http request looks like this:
https://www.googleapis.com/calendar/v3/calendars/MY_CLIENT_ID/events?key=MY_CLIENT_SECRET
What went wrong? Any help is greatly appreciated.
"domain": "usageLimits", "reason": "keyInvalid", "message": "Bad Request"
Means that the key you are sending is an invalid api key.
Background info
When you make a request to a Google api for public data you can use an API key. Public data is data that is not owned by a user. For example public posts on google+, google books. In these instances you can use an api key inorder to access the api using
GET https://www.googleapis.com/youtube/v3/search?part=snippet&maxResults=25&q=surfing&type=test&key={YOUR_API_KEY}
key identifies your application to google using the api key you create in google developer console.
Private data is data that is owned by a user for instance your google calendar an application can not post to it with out permissions. Inorder to do this we use Oauth2. You create a client on google developer console then login the user using oauth2. you will get an access token back then you can make a request
https://www.googleapis.com/calendar/v3/calendars/MY_CLIENT_ID/events?accesstoken=ACCESSTOKEN
Notice that the first request used key and the second used accesstoken.
Anwser
Your problem is that you are sending a client secret as an api key which will not work because first of all a client secret is not an api key and second events are private user data which will require that you authenticate your user first.
I want to validate LinkedIn Company is exists or not using LinkedIn API. I have used this link But that shows
{
"errorCode": 0,
"message": "Unknown authentication scheme",
"requestId": "JU7WN815MA",
"status": 401,
"timestamp": 1464156122597
}
Note: I have created the app in this link
I got only Client ID and Client Secret.
I followed this link too.
How to get access token, Secret Key and all.
You need to follow the steps outlined on the LinkedIn developer website to acquire an OAuth 2.0 access token that will then let you make the API call.
More details here: https://developer.linkedin.com/docs/oauth2
I am searching the google plus with api
Here is my Url:
https://www.googleapis.com/plus/v1/activities?query=internet%20marketing&access_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
here is response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "insufficientPermissions",
"message": "Insufficient Permission"
}
],
"code": 403,
"message": "Insufficient Permission"
}
}
Here is my API CONSOLE screen http://i.stack.imgur.com/jO27J.png
Can Anyone tell what permission I need to setup for my app in api console. ?
This is a problem with your access token, not with your project configuration.
The insufficient permissions error is returned when you have not requested the scopes you need when you retrieved your access token. At a guess, since you are using the Google+ API and the YouTube API, you may have only requested the YouTube scope and not both, ie:
Check you have requested both:
https://www.googleapis.com/auth/youtube
https://www.googleapis.com/auth/plus.login
and not just the first one.
You can check which scopes you have requested by passing your access_token to this endpoint:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ACCESS_TOKEN
I can't check the token in your example because it has expired (access tokens expire after one hour). Also, please do not post access tokens publicly as they allow others access to your data - they should be kept secret and treated with care.
Incidentally, https://www.googleapis.com/plus/v1/activities?query=QUERY is an unauthenticated call, so you could pass your API key for your project rather than an access token. If you make the call with https://www.googleapis.com/plus/v1/activities?query=QUERY&key=API-KEY, then you wouldn't need to request scopes or fetch an access token at all.
If you haven't seen it already, you can try out the API calls you would like to make at the OAuth 2.0 Playground:
https://developers.google.com/oauthplayground/
That's a good place to see what works and what doesn't.
According to #Lee answer, now the Google V3 OAuth AccessToken validating endpoint is:
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=<access_token>
You can refer google document below: (In OAUTH 2.0 ENDPOINTS Tab)
https://developers.google.com/identity/protocols/OAuth2UserAgent#validate-access-token
JavaScript
var OAUTH2_SCOPES = [
'https://www.googleapis.com/auth/youtube',
https://www.googleapis.com/auth/plus.login
];
to retrieve comments from the YouTube API add https://www.googleapis.com/auth/plus.login this into OAUTH2_SCOPES array