Google Vision API - Access Denied on files in my bucket - api

I have the following problem with the Google Vision API accessing my bucket files.
Steps:
Server to Server OAuth2 with service account for file uploads --> Scope is https://www.googleapis.com/auth/devstorage.read_write
Uploading files to my bucket (no ACL active, activated public access for testing) --> files uploaded successful
Server to Server OAuth2 with service account for Vision processing --> Scope is https://www.googleapis.com/auth/cloud-vision and https://www.googleapis.com/auth/devstorage.read_write
Starting Vision Job (https://eu-vision.googleapis.com/v1/files:asyncBatchAnnotate)
Response:
403
Error opening file: gs://mybucketname/myfile.tif
PERMISSION_DENIED
Service account is the same for both OAuth2 requests.
Both OAuth2 requests were successful und returns an AccessToken.
Vision API is activated.
Any ideas what the problem is?
Best regards!

I was having the same issue and could only solve it by using cloud-platform scope. With just cloud-vision and devstorage.read_write it's still missing something, I'm not sure what.

Related

Anyone know how to fix the new OAuth2 error when trying to authenticate a PyDrive application?

I don't think this issue is specific to PyDrive, but rather Google OAuth. However, some of the solutions I've seen on stackoverflow don't seem to be transferable over to my PyDrive application, which is just a python script to upload files programmatically to a shared drive. It worked fine 2 months ago but I tried to rerun it today and it's not working. Here is the error I'm getting:
Authorisation Error
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Request Details
The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.
If you’re the app developer, make sure that these request details comply with Google policies.
redirect_uri: urn:ietf:wg:oauth:2.0:oob
I am using a web application OAuth 2.0 Client ID creds on GCP. All secrets are stored in a local client_secrets.json file.
I run my script, it sends a message to the console that says
Go to the following link in your browser:
https://accounts.google.com/o/oauth2/auth?client_id=blahblahblah.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&access_type=offline&response_type=code
Enter verification code:
How it used to work: After I click the link above, it returns a code I paste into the console and then its authenticated. FYI: I plan on running this 24/7 on a remote server.
Now: I click the link above and get the error I posted above. I've tried to change the redirect uri to 127.0.0.1 and it does allow me to auth, then I get a code in my URL, but once I copy that and paste it into the console, I get more errors.
Anyone know the solution for this?

Trying to access GCS bucket but getting a `403 - Forbidden` error message

I'm hoping to get help with the right permission settings for accessing my files from a Colab app.
Goal
I'd like to be able to access personal images in a CGS bucket from a Colab python notebook running the "Style Transfer for Arbitrary Styles" demo of Tensorflow.
Situation
I setup a GCS bucket, made it public, and was able to retrieve files and use them in the demo.
To avoid having the GCS bucket publicly accessible, I removed allUsers and changed to my account/email that's tied to both Colab and GCS.
That caused the following error message:
Error Messages
Exception: URL fetch failure on https://storage.googleapis.com/01_bucket-02/Portrait-Ali-02-PXL_20220105_233524809.jpg: 403 -- Forbidden
Other Approaches
I'm trying to understand how I should approach this.
Is it a URL problem?
The 'Authenticated URL' caused the above 403 error.
https://storage.cloud.google.com/01_bucket-02/Portrait_82A6118_r01.png
And the gsutil link:
gs://01_bucket-02/Portrait_82A6118_r01.png
Returned this error message:
Exception: URL fetch failure on gs://01_bucket-02/Portrait_82A6118_r01.png: None -- unknown url type: gs
Authentication setup
For IAM
I have a service account in the project, as well as my user account (email: d#arrovox.com) that's tied to both the Colab and GCP accounts.
The Service Account role is Storage Admin.
The Service Account has an inheritance from the Project.
My user account, my email, is Storage Object Viewer
Assessment
Seems like the Authenticated URL is the right one, and it's a permissions issue.
Is this just about having the right permissions set in GCS, or do I need to call anything in the code before trying to return the image at the GCS URL?
I'd greatly appreciate any help or suggestions in how to troubleshoot this.
Thanks
doug
storage.objects.get is the demand for viewing files from GCS, but it looks like your user account or email already has the right permission.
How should I know my account has the right permission?
I think there's a simple solution to figure it out.
copy your Authenticated URL
Paste on any website and search.
If your current account doesn't have the right permission, that will return #Gmail-account does not have storage.objects.get access to the Google Cloud Storage object.
Or you can visit permission of bucket details to check are your email and service over there and have the right role.

Apache nifi getTwitter Processor returning 403 forbidden

I want to use Apache Nifi to track real time tweets
i pasted in my keys correctly but all requests return this error :
19:15:20 UTC ERROR
GetTwitter[id=59b5cb18-017e-1000-a6a2-991a653ec138] Received error HTTP_ERROR: HTTP/1.1 403 Forbidden. Will attempt to reconnect
i dont know where the problem is from.
thank you.
403 Forbidden means the Twitter API is rejecting your request - your access keys could be incorrect, or you might not have the right access rights for the endpoint you're accessing.
The request is understood, but it has been refused or access is not allowed. An accompanying error message will explain why.
Check that your developer account includes access to the endpoint you’re trying to use. You may also need to get your App allowlisted (e.g. Engagement API or Ads API) or sign up for access.
From https://developer.twitter.com/en/support/twitter-api/error-troubleshooting
Make sure you follow the advice from Twitter here and make note of:
With Essential access, you are only able to make requests to the Twitter API v2 endpoints, and not the v1.1 or enterprise endpoints. You are limited to 500K Tweets/month, and unable to take advantage of certain developer portal functionality such as teams and access to additional App environments
There are limits on what you can do with the Essential access level. See here.
If that doesn't help - please include a screenshot of your GetTwitter config and your version of NiFi.
If it raises 403 error while using GetTwitter processor in nifi.
API Key & consumer key aren't only a problem. Change the Twitter endpoint field while configuring the GetTwitter processor from
Filter Endpoint
to
Firehose Endpoint
In the field of twitter endpoint
Probably this will work!!

Google Analytics Reports Embed API returns 403 error

I just started to learn about Google Analytics Embed API from "https://developers.google.com/analytics/devguides/reporting/embed/v1/getting-started"
I followed their example, and deployed my HTML file onto local Tomcat server hosting at port 8080. I've added everything they mentioned including the whitelists for the host origin etc, provided my OAuth 2.0 key
when I hit my HTML page and logged in with google, I keep on getting 403 error when requesting for "https://content.googleapis.com/analytics/v3/management/accountSummaries?max-results=0&_src=embed-api%3Av1"
Anybody has any suggestions where I might have gone wrong?
p.s. the only thing I see on my page after login with Google is "You are logged in as: ***********#gmail.com"
Thanks,
Shen
Upon checking your link, I can see that the error code is 401. Regarding that error, you can check this SO thread.
I think you need to set up a service account as advised in answer.
By setting up a service account in Google apis console it will
allow you to access your own data with out needing to login and
autenticate the code all the time.

OneDrive for Business API item/file download content 401

My question seems similar to OneDrive for Business REST API - PUT,POST - 401 Unauthorized
However, instead of uploading, I am trying to download a file. What's strange is that I do get the file contents and data, but the response code is a 401.
Any idea why? Of course, I would like to be receiving a 200 and not have to ignore the response code.
As far as my Azure AD app permissions go, I am allowing pretty much all read permissions under delegated permissions for Office 365. I have listed all the permissions I selected here, for your reference.
Delegated Permissions I am allowing for Office 365:
Read managed metadata
Run search queries as a user
Read items in all site collections
Read user files
Delegated Permissions I am allowing for Windows Azure Active Directory:
Enable sign-on and read users' profiles
I have not enabled anything under Application Permissions.
There is a bug in our implementation - if you provide an Authorization: header with a bearer token on the download URL (which is pre-authenticate) the service rejects the authentication (hence the 401) but since the URL is pre-authenticated, the contents of the file are still sent.
We're working on a fix. You can track the status by watching this issue on our GitHub repo: https://github.com/OneDrive/onedrive-api-docs/issues/189