Google Cloud Logging recently started audit log support for Cloud Identity Access Management(IAM). I am getting the following error when I request audit logs after performing the below activity.
Activity:
Invite a new member to manage a Service Account.
Steps to perform the activity:
Go to Google Developers Console -> Select a project -> Select 'Permissions' from left pane -> Click on 'Service Accounts' -> Select a service account and click on 'Permissions' -> Add a new member, specify role, and click 'Add'.
Error:
{
"error": {
"code": 500,
"message": "Failed to convert response to JSON: Invalid type URL, unknown type: google.iam.v1.logging.AuditData",
"status": "INTERNAL"
}
}
Log entry API is able to fetch logs till this activity and fails to fetch logs for any activities done after this one.
This is a misconfiguration in the logging API backend. The fix should be available next week.
Depending on what you're trying to do, there are a couple ways to work around the problem.
If you want to view the IAM audit log entries, you can use the Activity Stream UI at https://console.developers.google.com/home/activity
If you want to use the API, you can exclude the problematic entries with a filter that includes the snippet below. You can use the same filtering in the logs viewer UI's "advanced filter" mode.
protoPayload.serviceData.#type != "type.googleapis.com/google.iam.v1.logging.AuditData"
The error results from a missing bit of configuration in the component that's responsible for generating JSON from protocol buffers (which are used for storage and transport internally). The Activity Stream works correctly because they get the logs data from Cloud Logging in proto format and use a different component for proto to JSON conversion. The same is true of logging export.
(I'm a Googler working on audit logging)
Related
I am in the process of building a chat bot that will integrate with Teams or Slack. To get started I am using the echo bot template, but I am adding it to an exiting API that I have in my Service Fabric Cluster.
When running the application locally, I can connect to it fine from the Bot Emulator, but when I deploy it to my Azure channel registration, and test it in the web chat I get:
There was an error sending this message to your bot: HTTP status code Unauthorized.
I am setting the AppID and Password and they are saved and being retrieved from KeyVault, and I throw an exception at startup if either of the values are blank (which is not the case).
I set it as follow:
services.AddBot<EchoBot>(options =>
{
options.CredentialProvider = new SimpleCredentialProvider(Configuration["MicrosoftAppId"], Configuration["MicrosoftAppPassword"]);
options.OnTurnError = async (context, exception) =>
{
ServiceEventSource.Current.Message(exception.Message);
await context.SendActivityAsync("Sorry, it looks like something went wrong.");
};
});
I have added a teams channel, where the error does not occur, but the message never reaches the server.
The service is reachable and the controller allows unauthorized credentials while this is in testing.
Solved my own issue.
It turns out that if you are using a self signed certificate, then this could occur, as per Microsofts documents found here -
If one or more error(s) are indicated in the chat window, click the error(s) for details. Common issues include:
The emulator settings specify an incorrect endpoint for the bot. Make sure you have included the proper port number in the URL and the proper path at the end of the URL (e.g., /api/messages).
The emulator settings specify a bot endpoint that begins with https. On localhost, the endpoint should begin with http.
In the emulator settings, the Microsoft App ID field and/or the Microsoft App Password do not contain valid values. Both fields should be populated and each field should contain the corresponding value that you verified in Step 2.
Security has not been enabled for the bot. Verify that the bot configuration settings specify values for both app ID and password.
Lessons Learnt
Read the doc's
When you get frustrated, calm down and read the doc's
Following the steps for creating incoming webhooks via add to slack button. The final response will look like this:
{
"access_token": "xoxp-XXXXXXXX-XXXXXXXX-XXXXX",
"scope": "incoming-webhook,commands,bot",
"team_name": "Team Installing Your Hook",
"team_id": "XXXXXXXXXX",
"incoming_webhook": {
"url": "https://hooks.slack.com/TXXXXX/BXXXXX/XXXXXXXXXX",
"channel": "#channel-it-will-post-to",
"configuration_url": "https://teamname.slack.com/services/BXXXXX"
},
....
}
This provides access to team_name, channel the webhook will post to, and a url for configuration.
While this is working great and after initially storing the 'configuration' to my own webapp it displays correctly. But after a someone uses the 'configuration_url' link from the response these previous values like the channel could become obsolete. For example the webhook could be deleted from this link.
My Question is:
Is there a way to reflect this changes in my external app? As far as I can see there is no way to query information for 'incoming webhooks' via an api call from an external web application?
I also could not find any api calls that could change webhook configuration directly without using the provided link.
Its not possible to change the webhook configuration after it is created. The only possible change is that the workspace that installed your Slack app (which contains the webhook) is uninstalled.
If that happens the webhook will no longer work and you will get an error in response.
You can also get notified when you app is uninstalled by listening to the app_uninstalled event.
Or you can also test if your app and webhook is still valid by checking the token you received during the Add to Slack process. Just call the API method auth.test with that token. If it returns the following error than the webhook is no longer valid:
{
"ok": false,
"error": "invalid_auth"
}
I am trying to manually write a log entry using Google Cloud Logging API.
Before doing this via code, I am first trying to do it using the Google APIs Explorer. Here is a screen shot of the request I've built using this tool:
In projectsId I have the Google Project Id that I've copied from the
Google Developer Console.
Likewise for metadata.projectId.
In metadata.userId I have the Client Id of the same Service account that I'm using to authenticate (OAuth2) against the Google Logging API.
Google Logging API is enabled for the project.
The Service account belong to the project and has the "Can edit" permission.
I'm 99% sure that I've setup OAuth2 correctly for the request.
When I execute this request, I get the following response:
{
"error":
{
"code": 400,
"message": "Unsupported service specified",
"status": "INVALID_ARGUMENT"
}
}
Why? and how can I fix this?
The error message was actually telling me exactly which argument was invalid - The serviceName I supplied was bogus ("test").
As soon as I set the serviceName to be "compute.googleapis.com", the problem went away and I received a 200 status code indicating success.
In my Android project, I am trying to connect to the Worklight server (CLI) but after the client.Connect() method call, when I look at the task result, it has an error message saying Error retrieving device data and HTTP status 500. However, I can see the activity count increasing in the Analytics portal.
I am following the sample that comes along with the Xamarin Worklight SDK. All I did was changing the Realm to another one and stripped out irrelevant methods and kept the ConnectAsync & Connect methods alone.
If I run the Worklight sample application that comes along with the SDK, I don't see this error in the task. It gets back a HTTP 200 and everything looks good.
Here is the code, for clarity sake.
private async Task<WorklightResponse> Connect()
{
//lets send a message to the server
client.Analytics.Log("Trying to connect to server", metadata);
ChallengeHandler customCH = new CustomChallengeHandler(appRealm);
client.RegisterChallengeHandler(customCH);
WorklightResponse task = await client.Connect();
//lets log to the local client (not server)
client.Logger("Xamarin").Trace("connection");
//write to the server the connection status
client.Analytics.Log("Connect response : " + task.Success);
return task;
}
This probably has to do with you Android app permissions. Edit your Android project options. In the Android Application->Required Permissions list, select the appropriate permissions. For example, one of my apps requires:
AccessNetworkState
AccessWiFiState
GetAccounts
Internet
UseCredentials
WakeLock
WriteExternalStorage
I have received the same error message without the appropriate permissions. Your list may vary depending on requirements.
By default, the SubscribeServlet is tied to a rejectAll login module which rejects all login requests. If you have not changed the login module, then this is probably why you're seeing your login rejected.
Try changing the login module to a different one if you're using the rejectAll login module
Background...
I'm exploring Parse.com as a back end for an iOS app that also has an html/web browser interface for some users (either via javascript client or asp.net client - to be determined). The web users are 'an audience' for the data/files the app users prepare in the app. They are not the same people.
I need to lock down access to objects in the database (no public access read or write) so I plan to set up an admin user belonging to an administrators role and create an app_users role applying class-level permissions to the various classes accordingly.
Then for my iOS app, using the anonymous users add them to the app_Users role, setting up a default ACL for object level permissions and interact with the data model accordingly.
The app creates PDF files and stores as PFFile objects and I want these to have no public read or write access too. these docs are what will be accessible via the web client.
So...
I don't think i want to use PFUsers for each potential user accessing via a web client -don't want it to over engineered. So I figured send params to Cloud Code (with useMasterKey()) to first return a list of file meta data to present to the user - this works well - I can return the PFFile url or objectId, doc name, file type and size...
The challenge...
Next I'd need to build a Cloud Code function which given objectId or a url will fetch the PDF file and return it in a way my web page can display it to the user.
I've seen a few examples in the Networking section of the docs looks like it might be possible but I can seem to join the dots.
Hope that makes sense - any thoughts?
Edit: Added Code
The code I've been looking at works for text/html - is it possible to response a PDF or binary
Parse.Cloud.httpRequest({
url:'example.com/file.pdf',
 success: function(httpResponse) {
console.log(httpResponse.text);
},
error: function(httpResponse) {
console.error('Request failed: ' + httpResponse.status);
});