Insufficient authentication scopes error using Google API - google-api

I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.
However, when the app is deployed to Google Cloud VM, it throws the following error:
[Google_Service_Exception]
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Request had insufficient authentication scopes.",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.
To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?
To give client initialisation code:
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);

Update
Now it is supported. You have to stop instance in order to change API scope.
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes
Original answer
It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances
Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access.
https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc

It is possible now. Your instance must be stopped and then it can have its scope list changed from the console in the edit vm page, or in the SDK by using :
gcloud compute instances stop [vmname]
gcloud beta compute instances set-scopes [vmname] --scopes="[scopes list]"
Just be aware that with the SDK way, the second command will reset with the scopes in the list. It is not currently available the ability to only append a new scope.

Related

Azure AD enterprise application provisioning

I am facing issues while provisioning Java application in Azure AD enterprise application. I have created SCIM api as per the azure documents but still I am getting below error.
Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application: An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. To address this issue, ensure that the tenant URL is correct. The tenant URL is usually in a format like: https://<>/scim. If this does not resolve the issue, contact the application developer to ensure their SCIM endpoint conforms with the protocol https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2 Please check the service and try again.
You would need to ensure your response is formatted like in section 3.4.2 for the RFC
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 0,
"Resources": [],
"startIndex": 1,
"itemsPerPage": 20
}
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#response-3

Try this API for Logging API returns "PERMISSION_DENIED"

I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.

"400: Unsupported service specified, INVALID_ARGUMENT" from Google Cloud Logging API

I am trying to manually write a log entry using Google Cloud Logging API.
Before doing this via code, I am first trying to do it using the Google APIs Explorer. Here is a screen shot of the request I've built using this tool:
In projectsId I have the Google Project Id that I've copied from the
Google Developer Console.
Likewise for metadata.projectId.
In metadata.userId I have the Client Id of the same Service account that I'm using to authenticate (OAuth2) against the Google Logging API.
Google Logging API is enabled for the project.
The Service account belong to the project and has the "Can edit" permission.
I'm 99% sure that I've setup OAuth2 correctly for the request.
When I execute this request, I get the following response:
{
"error":
{
"code": 400,
"message": "Unsupported service specified",
"status": "INVALID_ARGUMENT"
}
}
Why? and how can I fix this?
The error message was actually telling me exactly which argument was invalid - The serviceName I supplied was bogus ("test").
As soon as I set the serviceName to be "compute.googleapis.com", the problem went away and I received a 200 status code indicating success.

Google API returning error accessNotConfigured

I recieve This a google error when using the url directly along with a newly created project (with no other projects listed) I continously get the below error....
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured. Please use Google Developers Console to activate the API for your project."
}
],
"code": 403,
"message": "Access Not Configured. Please use Google Developers Console to activate the API for your project."
}
}
I know there have seen a few posts on this subject. and I have followed the instructions listed. I even created new project...
turned on fusion table in console (tried with both only fusion api on and nothering else & standard api
generated public key with the referers *
Consent screen filled out
fusion table Download allowed checked
shared with permission for "anyone with link" is selected
url = https://www.googleapis.com/fusiontables/v1/tables/105Otxh5ltQsKBr-ABqYJ8vBuB6E9Ped2MfXj3AZy/templates?&key=AIzaSyCr_wIc0aEHUG6Pl08kHDYLqWRB_PqZsE0
docid = 105Otxh5ltQsKBr-ABqYJ8vBuB6E9Ped2MfXj3AZy
key = AIzaSyCr_wIc0aEHUG6Pl08kHDYLqWRB_PqZsE0
Just what am I missing. I have the google php api client to use a service account.. but if I cant pull up the tables, query or anything via the base api url then i can move forward... untill then Im stuck. Thank in advance anyone!

Cannot add notification endpoints for Google APIs project

I have an application where I use OAuth2 to grab some info from a users spreadsheet in Google Drive. I have just completed the OAuth2 procedure, which I thought was the challenging part since there are no OAuth2 libraries for xquery, but now I am running into another problem.
I send a GET request to the Google Drive SDK, which I have turned ON in the Google API Console, and get the following output:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
],
"code": 403,
"message": "Access Not Configured"
}
}
I have found this question which seems to be the cause of my error :Google API returning Access Not Configured but I am unable to complete the solution to my problem which is to " Visit code.google.com/apis/console. First, make sure the service you want is enabled under "Services". Then go to "API Access" and specify your calling domains or IP addresses." When I try to add my domain to the notification endpoints, it doesn't do it.
In addition, I see that it says "Allows webhook notifications to be sent to external domains that are owned by the user. Google verifies that the user does in fact own each of the listed domains via Webmaster Tools" in the box where you add said endpoints. Since I am on an Amazon EC2 instance I am not sure that I will be able to do that. I really hope the fact that I am on an Amazon server is not stopping me from making my app.
Any help would be appreciated, thank you all.
You should enable Drive SDK and Drive API in the API console.

Resources