all.need your help there~
In GCP vm instance, i use nodejs write code,try to access dataset, I want use email account, and try this way to set account:
//in linux run commond to set the account
var exec = require('child_process').exec;
var cmdStr = 'gcloud config set account email#mmm.com';
exec(cmdStr, function (err, stdout, srderr) {
if(err) {
console.log(err);
} else {
console.log(out);
}
});
and when I run it, it uses a service account to access a big query.
Anyone can help me to switch the account from the service account to an email account?
Running ‘gcloud config set account email#mmm.com’ “sets the specified property in your active configuration” and does NOT authenticate your Cloud SDK with email#mmm.com.
You can authenticate Cloud SDK by executing ‘gcloud auth init’ from the command line. For more information please refer to documentation. Note that this does not authenticate the BigQuery API as explained below, instead this authenticates the GCloud SDK command line tools such as bq command line and gcloud commands.
To authenticate your Google Cloud API calls, you need to use a service account key. Please refer to steps 3-4 in documentation for detailed steps on achieving this in node.js.
You cannot authenticate API calls with an email account. The workaround is to use service account impersonation, please refer to documentation for further explanation.
Related
I've been tryin to setup an external login with amazon to integrate prime gaming for my web app in asp net core 3.1. I've been following this Amazon Prime Gaming Integration. I have been successfully stored the amazon userId, its token, refresh token and expires in into my database. However, I'm unable to call a post API request to /api/account/link to sync up my account according to this document. I am getting an error with message: Not all permissions are authorized. I did a bit research and it mentioned in another document link (Tips-Troubleshoot) that I need to set both scopes to games::prime and profile (I only had profile set before).
However, when adding games::prime scope, I get an exception for invalid scope: invalid_scope;Description=An unknown scope was requested
I'm using AspNet.Security.OAuth.Amazon to help with the external login with amazon, and this is the code that I have in my Startup.cs file
services.AddAuthentication()
.AddAmazon(o =>
{
o.ClientId = clientId;
o.ClientSecret = clientSecret;
o.Scope.Add("profile");
o.Scope.Add("games::prime");
o.SaveTokens = true; // get access token and refresh token
o.AccessDeniedPath = new PathString("/Home/WebAppSetting");
})
If I remove games::prime from the scope, then everything works but then I will get an error message Not all permissions are authorized
Can anyone please tell me what I'm missing and not doing correct in here ? I have been searching for amazon documents on their sites, but seems like there is nothing useful there.
Thank you
It turned out that in order to use scope games::prime, you need to contact amazon team to have them unblock that for you. This is not mentioned at all in the push integration documentation.
I am trying to call a google cloud function on the In Contact Studio to fulfill a logic in my IVR Call, but I am unable to do that as I have closed public access to my cloud function, and now I am not getting a way how to authenticate the call.
I tried using the command gcloud auth print-identity-token to get a ID_TOKEN But this ID_TOKEN will be refreshed every time and I can't use this again and again, so is there any way that I can generate a ID_TOKEN every time I try to call this function using a simple API Call??
OR
Is there any other way to solve my problem?
Ways I have Tried :-
I have gone through this Documentation:- https://cloud.google.com/functions/docs/securing/authenticating#end-users
and I was using the access style of End-User But it is a way in which the access token was getting generated via login using browser, I want to do everything via code, cause it will be used as a backend code for IVR(call facility for assistance in various tasks), in this method also we get a access token and not a ID_TOKEN, whereas to invoke a function we need a ID_TOKEN and not a access token.
Secondly I tried the gcloud auth print-identity-token command on the google cloud shell where i was logged in with my google account so it generated the JWT token and I used it as a bearer token and the function worked, but how can I generate the token outside GCP or get the on frequent intervals via code.
I want a program way(NodeJS) of doing this and not a UI way, cause I need to attach this with backend of my program, and all the ways I have gone through on the internet have the only way is through UI, and none of them have a program way for outside GCP environment, so i need help on this scenario.
As John said, you can use the Google Doc code example to perform an URL call: The library generate a secure HTTP client to generate request to your endpoint.
If you want to generate the token and use it by yourselve, you can use this piece of code
const {GoogleAuth} = require('google-auth-library');
const auth = new GoogleAuth()
auth.getIdTokenClient("").then(client => {
client.idTokenProvider.fetchIdToken("audience").then(token => {
console.log(token)
})
})
I've got a .net core application running on the server and I would like to store my app data directly on Google Drive. I use regular Google account for it with Google Drive API enabled (it seems to be enabled) and service account with credentials stored in json file. Here's code to create Google Drive service in my application:
private DriveService CreateDriveServiceClient() => new DriveService(
new BaseClientService.Initializer()
{
HttpClientInitializer = new ServiceAccountCredential(
new ServiceAccountCredential.Initializer(this.config.ClientEmail)
{
Scopes = new string[]
{
DriveService.Scope.DriveAppdata,
},
}.FromPrivateKey(this.config.PrivateKey))
});
It uses scope https://www.googleapis.com/auth/drive.appdata, which leads to string drive.appdata
However I get the following error:
Insufficient Permission: Request had insufficient authentication scopes.] Location[ - ] Reason[insufficientPermissions] Domain[global]
when trying to acces at least client.Drives.List().Execute();
It seems to me that I need to add a role to access drive.appdata scope. But I can't find an appropriate role in Google console, neither I can't find this scope when creating a new role for service account
How can I add permissions to service account to use Google Drive?
According to the Google Drive API v3 documentation:
This request requires authorization with at least one of the following scopes:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.readonly
Therefore, if you want to be able to use the Drive API properly, you should change the scope to one of those provided above.
You can also test the API on the Google Drive API v3 here.
Furthermore, I suggest you check these links for more information:
Google Drive API v3;
OAuth2.0 Playground.
I need to ask user for a password each time he using Google OAuth.
There was an option I have used "max_auth_age", but it stops working.
Is there any replacement for this option. If not - could you please suggest where can I submit something like "feature request" to Google to restore this feature.
Thanks.
UPD
I have read possible duplicate topic and tried to use max_age instead max_auth_age. It did not help.
p.s I know that the main idea of OAuth2 not to use any passwords prompts, but its customer requirement. He is afraid that person, who not allowed to use system can have access on shared computer if someone forgot to logout from Gmail.
Aside from BCM and ehsan s' concerns, it is possible to revoke access to your application AND ask for a password on subsequent login attempts.
Following is a NodeJS example with googleapis, but is simple enough to work for all applications:
const google = require('googleapis').google;
const oauth2Client = new google.auth.OAuth2(
'client_id',
'client_secret',
'redirect_uri'
);
// Sign-in code (omitted) here
async function signOut() {
return await oauth2Client.request({
url: 'https://accounts.google.com/Logout',
method: 'GET'
});
}
Unlike oauth2Client.revokeCredentials, requesting https://accounts.google.com/Logout will make google ask for password on subsequent sign-in attempts.
Bare in mind that this request will sign the user out of all google services on the client.
This wont affect other clients on the device however - i.e. sign-out of NodeJS app will not cause the user to be logged out of gmail in Chrome browser running on the same machine and under the same user.
Hope this helps :)
I am using the bq command line tool to query from a Bigquery table. Is there a way to get the service account authentication to persist when I logged in and out of the box that the query process is running on?
Steps I did:
I logged into the linux box
Authenticate service account by running:
gcloud auth activate-service-account --key-file /somekeyFile.p12 someServiceAccount.gserviceaccount.com
Query from bigquery table, this works fine:
bq --project_id=formal-cascade-571 query "select * from dw_test.clokTest"
But then I logged out from the box, and logged back in. When I query the Bigquery table again:
bq --project_id=formal-cascade-571 query "select * from dw_test.clokTest"
It gives me the error:
Your current active account [someServiceAccount.gserviceaccount.com] does not have any valid credentials.
Even when I pass in the private key file:
bq --service_account=someServiceAccount.gserviceaccount.com --service_account_credential_file=~/clok_cred.txt --service_account_private_key_file=/somekeyFile.p12 --project_id=formal-cascade-571 query "select * from dw_test.clokTest"
It gives the same error:
Your current active account [someServiceAccount.gserviceaccount.com] does not have any valid credentials.
So every time I need to re-authenticate my service account by:
gcloud auth activate-service-account
Is there a way to have the authenticated service account credential persist?
Thank you for your help.
I asked the GCloud devs and they mention a known bug where service accounts don't show up unless the environment variable CLOUDSDK_PYTHON_SITEPACKAGES is set.
Hopefully this will be fixed soon, but in the meantime, when you log in again, can you try running
export CLOUDSDK_PYTHON_SITEPACKAGES=1
and seeing if it then works?
You can run
gcloud auth list
to see what accounts there are credentials for; it should list your service account.
I fixed it by relaunching gcloud auth login. Google then asked me to open a webpage which triggered the CLOUDSDK authorization which I believe is linked to the solution shared by J. Tigani.