I have a service account provided by a vendor client
I'm using the .NET API to pull data from their database with the service account they provided
I'm trying to run a simple query "select name from [projectId].[datasetId].[table]"
And I'm getting the following error:
Access Denied: Project [projectId]: User does not have bigquery.jobs.create permission in project [projectId]. [403]
Errors [
Message[Access Denied: Project [projectId]: User does not have bigquery.jobs.create permission in project [projectId].] Location[ - ] Reason[accessDenied] Domain[global]
]
How can I check my service account permissions?
How can I authenticate my service account?
The only way to perform a 'select' is with a job permission?
There are a variety of ways to test IAM permissions on the documentation website. Using curl you would do:
curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
https://cloudresourcemanager.googleapis.com/v1/projects/project-id:testIamPermissions
Although you already know what permissions are missing so you need to ask you vendor client to provide BigQuery access. To add access the instructions are here.
As far as authenticating, you just send the service account json key in or authenticate via SDK, depending on how you are accessing it, but generally you are somehow either sending your json key or pointing out the json key location to the SDK.
There are a number of ways to query BigQuery but all of them are through a "job" which is the query itself being sent in.
Related
I created a public repository within my personal account, created a PAT w/ the workflow permissions checked, but am unable to disable the workflow via the API as I receive a message stating that I must have admin rights to the repository. I believe the PAT has the correct permissions so I’m unsure as to why this isn’t working.
Here is the command I am attempting to use (based on the documentation):
curl -s christronyxyocum:MY-PAT -X PUT -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/MY-USERNAME/MY-REPO/actions/workflows/workflow.yml/disable
I can retrieve information about the workflow without any issues so I believe that I have the correct URL and formatting, etc. I have even tried creating a new PAT with the same permissions and that one experiences the same error.
I have figured this out. Rather than using the username:token format like they show repeatedly in their documentation, you must use the -H "Authorization: bearer TOKEN" header with the curl command.
My script uses a sequence of gcloud commands and of course gcloud is authenticated. I need to use curl to access GCP REST APIs that are not available to gcloud. I can do this by generating a JSON credentials file in the Cloud Console, but I'd rather not do that as a separate manual step.
[Edit: The answer is to replace the gcloud auth string in that curl command with gcloud auth print-access-token. See answer below.]
This is how I do it now, using a JSON file downloaded from the Console.
GOOGLE_APPLICATION_CREDENTIALS=credentials.json
curl -X POST -H "Authorization: Bearer \"$(gcloud auth application-default print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
https://cloudresourcemanager.googleapis.com/v1/projects/<MY_PROJECT>:getAncestry
Without that downloaded JSON, I get this:
ERROR: (gcloud.auth.application-default.print-access-token)
The Application Default Credentials are not available. They are available if running in Google Compute Engine.
Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing
to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials
for more information.
{ "error": {
"code": 401,
"message": "Request had invalid authentication credentials.
Expected OAuth 2 access token, login cookie or other valid authentication credential.
See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
How can I leverage my gcloud authentication to use curl? I don't mind using the JSON if I can automate its generation as part of this script. For example, is there a way to call gcloud to generate this JSON, which I would then set as GOOGLE_APPLICATION_CREDENTIALS?
Once you have the Cloud SDK authenticated, you can use the gcloud auth print-access-token command to get an access token for the current active account, without the need of specifying the path to the JSON credentials file.
You will still need the credentials.json file, if you wish to activate a service account for the Cloud SDK instance. However, I am pretty sure you will only have to do that once.
EDIT:
I noticed you are using the gcloud auth application-default print-access-token.
Keep in mind that, contrary to the gcloud auth print-access-token command, it uses the current Application Default Credential (ADC), which has to be set by specifying the credentials.json file path with the GOOGLE_APPLICATION_CREDENTIALS env variable, or by using the gcloud auth application-default login command.
I have spent a lot if time in the documentation and this Q/A forum but have still not ascertained the information I need/understand. The model that I ham working with does not exactly meld with WSO2IS very well. The programmer is set in their ways and will not budge on change, nothing I can do about that. They are just after the security that is provided by WSO2IS. So here is programmers model, NOT sso.
user->web_site->wso2is authorization->website
It is to have every user login every time. What they want from wso2s is to send user_name, password and company_id and to return valid/invalid id and a set of permission. External id should work well as a claim for the company id.
I have been able to create a user, but not able to add a role for that user and I have not been able to get authorization. I can get some of the information about the user via SCIM : curl -v -k --user admin:admin https://wso2-dev.h3net.com:9443/wso2/scim/Users/d9bef03a-ddcf-44fc-a431-3b71e618b61e
What I need are 3 curl commands via REST like commands
Here's what I have for adding a user : curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"user":{"username":"Gomez","realm":"PRIMARY","password":"Password1!","claims":[{"uri":"http://wso2.org/claims/givenname","value":"Gomez"},{"uri":"http://wso2.org/claims/emailaddress","value":"bnpatton#west.com"},{"uri":"http://wso2.org/claims/lastname","value":"Adams"},{"uri":"http://wso2.org/claims/mobile","value":"1234567890"}]},"properties":[]}' "https://wso2-dev.h3net.com:9443/api/identity/user/v0.9/me
This does not show haw to add a role for the user, just claims.
With something like the above, how would I do the following :
1. add roles to a user
2. authorize user when just only have user_name, password and company_id(external_id claim)
3. return permissions with authorization or a separate curl command?
Question 1
You can refer this comment for adding roles to the user using SCIM API.
Question 2
In this case, you can use XACML for claim based authorization. Please refer this blog for the implementation.
Question 3
WSO2IS server is working as policy decision point(PDP). Based on the decision you can access the resource in the resource server.
I am working on ArangoDB 3.1 in stand-alone mode.
We are creating a Foxx API to authenticate the users who are accessing our database and our custom APIs. In order to activate authentication, we added the following statements in the arangod.conf file.
authentication = true
authentication-system-only = true
We created a user in arangosh for the database we are working on. When we log into the web console the username and password worked and we are able to access the database,APIs and also able to create users using the APIs.
But when we try to access using another browser or using curl command we are not able to see the user information. HTTP and curl commands are given below.
http://username:password#ip-address:portno/_db/AdtheorentDB/test-app/whoami
curl --basic --user "username:password" -X GET --header 'Accept: application/json' 'http://ip-address:portno/_db/databasename/test-app/whoami'
What might be the issue ?
The above curl command is obtained from the link given below.
ArangoDB authentication via HTTP
Since a change in the Azure OAuth 2, I've an error:
The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Commerce/RateCard/read' over scope '/subscriptions/xxx'.
I've followed the role-based assignment instructions, added a Reader role for my application to the DefaultResourceGroupResource.
I've also added an Admin role in the appRoles section of my application manifest.
And adding all possible app permissions :
To call the RateCard API, I retrieve a token :
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" "https://login.windows.net/xxx.onmicrosoft.com/oauth2/token" -d "grant_type=client_credentials&client_id=xxx&client_secret=xxx"
And I use it in my request :
curl -H "Authorization: Bearer <token>" "https://management.azure.com/subscriptions/xxxproviders/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview&$filter=OfferDurableId eq 'MS-AZR-0003P' and Currency eq 'USD' and Locale eq 'en-US' and RegionInfo eq 'US'"
But I still have this error.
What should I do to add this authorization to my application ?
Here some screenshot of my app permissions:
After a brief call with the Azure support, they tell me that this kind of permission can't be handled via the portal, it has to be done in PowerShell.
So I had to download a Windows 10 Virtual Machine to run :
Login to Azure account:
Login-AzureRmAccount
Add permission:
New-AzureRMRoleAssignment -ServicePrincipalName "<my-app-id>" -RoleDefinitionName "Reader" -Scope "/subscriptions/<my-subscription-id>"
To check if permissions are assigned correctly:
Get-AzurermRoleAssignment -ServicePrincipalName "<my-app-id>"
I've followed the role-based assignment instructions, added a Reader
role for my application to the DefaultResourceGroupResource.
Instead of giving Reader role permission on an individual resource group, try giving the same permission on the subscription level.
Another thing you could do is create a custom role in your subscription with following permissions:
Microsoft.Commerce/RateCard/read
Microsoft.Commerce/UsageAggregates/read
Then you can assign this custom role to your application.