I am trying to manually write a log entry using Google Cloud Logging API.
Before doing this via code, I am first trying to do it using the Google APIs Explorer. Here is a screen shot of the request I've built using this tool:
In projectsId I have the Google Project Id that I've copied from the
Google Developer Console.
Likewise for metadata.projectId.
In metadata.userId I have the Client Id of the same Service account that I'm using to authenticate (OAuth2) against the Google Logging API.
Google Logging API is enabled for the project.
The Service account belong to the project and has the "Can edit" permission.
I'm 99% sure that I've setup OAuth2 correctly for the request.
When I execute this request, I get the following response:
{
"error":
{
"code": 400,
"message": "Unsupported service specified",
"status": "INVALID_ARGUMENT"
}
}
Why? and how can I fix this?
The error message was actually telling me exactly which argument was invalid - The serviceName I supplied was bogus ("test").
As soon as I set the serviceName to be "compute.googleapis.com", the problem went away and I received a 200 status code indicating success.
Related
I'm just starting to use GraphCDN with GraphQL and there's something that I don't understand. I set up my service as detailed in the documentation and now I have **.graphcdn.app/ caching my original https://***.com/graphql
Now to test I'm trying the new endpoint. But while some endpoints are open and need no authentication on my graphql api, the same endpoint would give the error:
{
"error": {
"message": "This endpoint requires you to be authenticated.",
"documentation_url": "https://docs.github.com/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql"
}
}
in GraphCDN. Any ideas on how I can get around this, or what am I doing wrong?
It sounds like you created a service that proxies through to the GitHub GraphQL API, hence why the API responds with a "This endpoint requires you to be authenticated" error that has a docs.github.com link in it.
In order to point it at your own GraphQL API (which doesn't require authentication), change the "Origin URL" in your service's settings to the URL of your GraphQL API:
We're happy to help further with that, feel free to reach out to our excellent customer success team via the chat bubble on the dashboard anytime!
Source: I'm one of the cofounders of GraphCDN.
I am facing issues while provisioning Java application in Azure AD enterprise application. I have created SCIM api as per the azure documents but still I am getting below error.
Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application: An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. To address this issue, ensure that the tenant URL is correct. The tenant URL is usually in a format like: https://<>/scim. If this does not resolve the issue, contact the application developer to ensure their SCIM endpoint conforms with the protocol https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2 Please check the service and try again.
You would need to ensure your response is formatted like in section 3.4.2 for the RFC
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 0,
"Resources": [],
"startIndex": 1,
"itemsPerPage": 20
}
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#response-3
I am trying to test the Google Cloud Logging API on the "Try this API" feature that Google Cloud Platform has on their documentation, but I get this response back:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that my response body is correct because it works with OAuth 2.0 but fails when I use API Key.
Auth 2.0:
Working request using OAuth 2.0
API Key:
Non-Working request using API Key
Google docs says that they generate their own API Key for this "Try this API" feature. https://developers.google.com/explorer-help/
Since Google is using their own API Key, I do not understand why I am getting a response status of PERMISSION_DENIED.
Edit:
Here is a link to the Try this API feature in Google Cloud Platform if you would like to give it a try. https://cloud.google.com/logging/docs/reference/v2/rest/v2/entries/write?apix_params=%7B%22resource%22%3A%7B%22entries%22%3A%5B%7B%22logName%22%3A%22projects%2F%5BPROJECT_ID%5D%2Flogs%2Frequests%22%2C%22resource%22%3A%7B%22type%22%3A%22http_load_balancer%22%2C%22labels%22%3A%7B%7D%7D%7D%5D%7D%7D
Here is the python request that I am using in my code to create an entry:
import requests
entry = {
"entries": [
{
"logName": "projects/[PROJECT_ID]/logs/requests",
"resource": {
"type": "http_load_balancer",
"labels": {}
}
}
]
}
requests.post('https://logging.googleapis.com/v2/entries:write?key=[YOUR_API_KEY]', data=json.dumps(entry))
The API key was created from my user that has "logs writer", "logs viewer", and "logging admin" permissions. This theoretically should be all the permissions I need to make the post request. However, it is still returning a "PERMISSION_DENIED" status.
Any help would be much appreciated. Thank you in advance.
It looks like you are making a request to write data which isn't publicly writable. API Keys have no concept of user, they are only identifying you are allowed to call an API. So it looks like your API key request is working to the extent it can, but the response is telling you: I don't know who you are so I can't let you do this.
OAuth 2.0 is the solution here, as it acts on behalf of your account (you have to give consent), allowing the API to verify you have permission to take this action.
Service accounts are another option, to act on behalf of your project instead of your user, but they aren't practical from a web UI.
I set up Google SDK to use Google API with Application Default Credentials. For my local machine, created a credentials json file and set its path as GOOGLE_APPLICATION_CREDENTIALS as environment variable. This is worked as expected without a problem.
However, when the app is deployed to Google Cloud VM, it throws the following error:
[Google_Service_Exception]
{
"error": {
"code": 403,
"message": "Request had insufficient authentication scopes.",
"errors": [
{
"message": "Request had insufficient authentication scopes.",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
According to the documentation, the built-in service account should be associated with the virtual machine instance. To make it work, I tried to use credentials json file as I did on local machine (which worked fine) but it didn't work either.
To note, the error message is about scopes but not auth problem. What to do to make it work on Compute Engine VM instance?
To give client initialisation code:
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Pubsub::PUBSUB);
Update
Now it is supported. You have to stop instance in order to change API scope.
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes
Original answer
It turned out that I had to enable Cloud API access scope for the services on Google Cloud Console for VM instance details: https://console.cloud.google.com/compute/instances
Unfortunately, I couldn't changed it because Google Cloud doesn't support it for now. I had to start a new instance to enable a service API access.
https://googlecloudplatform.uservoice.com/forums/302595-compute-engine/suggestions/13101552-ability-to-change-cloud-api-access-scopes-on-launc
It is possible now. Your instance must be stopped and then it can have its scope list changed from the console in the edit vm page, or in the SDK by using :
gcloud compute instances stop [vmname]
gcloud beta compute instances set-scopes [vmname] --scopes="[scopes list]"
Just be aware that with the SDK way, the second command will reset with the scopes in the list. It is not currently available the ability to only append a new scope.
I have an application where I use OAuth2 to grab some info from a users spreadsheet in Google Drive. I have just completed the OAuth2 procedure, which I thought was the challenging part since there are no OAuth2 libraries for xquery, but now I am running into another problem.
I send a GET request to the Google Drive SDK, which I have turned ON in the Google API Console, and get the following output:
{
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "accessNotConfigured",
"message": "Access Not Configured"
}
],
"code": 403,
"message": "Access Not Configured"
}
}
I have found this question which seems to be the cause of my error :Google API returning Access Not Configured but I am unable to complete the solution to my problem which is to " Visit code.google.com/apis/console. First, make sure the service you want is enabled under "Services". Then go to "API Access" and specify your calling domains or IP addresses." When I try to add my domain to the notification endpoints, it doesn't do it.
In addition, I see that it says "Allows webhook notifications to be sent to external domains that are owned by the user. Google verifies that the user does in fact own each of the listed domains via Webmaster Tools" in the box where you add said endpoints. Since I am on an Amazon EC2 instance I am not sure that I will be able to do that. I really hope the fact that I am on an Amazon server is not stopping me from making my app.
Any help would be appreciated, thank you all.
You should enable Drive SDK and Drive API in the API console.