I am experimenting with Watson Machine Learning (WML) as I would like to deploy a deep learning model through a web API. I have an issue regarding authentication.
I am following the IBM tutorials and I have an issue with the WML authentication. On the tutorial it is mentioned to provide the following credentials to deploy the model on WML:
wml_credentials = { "apikey" : "***",
"url" : "https://ibm-watson-ml.mybluemix.net",
"username" : "***",
"password" : "***",
"instance_id" : "***"
}
I fear that the information is outdated. When looking for the at the WML service credentials on IBM cloud I am provided with the following info:
{
"apikey": "xxx",
"iam_apikey_description": "xxx"
"iam_role_crn": "xxx",
"iam_serviceid_crn": "xxx",
"instance_id": "xxx",
"url": "https://us-south.ml.cloud.ibm.com"
}
I get no username & passwd. Moreover the url is different to the one provided in the tutorial is different than the one provided on the tutorial. I tried to play with the python script but I get errors, which are diffcult to understand given that I have no idea of the structure of WML.
Can anyone provide a functioning script and some good intuition about the mechanism of working with WML. The tutorial is not very informative on what is happening under the hood and that makes it difficult to troubleshoot and get started with...
tutorial link
Thanks
For Cloud if the wml instance is in us-south region, you can use the below.
wml_credentials = {
"apikey" : "",
"url" : "https://us-south.ml.cloud.ibm.com",
"instance_id" : ""
}
The values for apikey, url and instance_id should be used from the wml instance credentials. (instance vcap)
The url differs based on the region where the wml instance has been created.
e.g for us-south it will be https://us-south.ml.cloud.ibm.com
for London it will be https://eu-gb.ml.cloud.ibm.com
Related
I've been at this for days and the documentation just isn't clear to me, maybe I'm just not reading it correctly.
I have a blazor WASM app (https://localhost:5001) that pulls data from an api. The api needs to be authenticated so I want to just pass the access token inside the header.
Inside the OneLogin admin dashboard I've created an OIDC app called "testApp", the Token Endpoint is None (PKCE).
Setting up oidcauthentication on blazor was super simple. I originall just used the
builder.Services.AddOidcAuthentication(options =>
{
builder.Configuration.Bind("OneLogin", options.ProviderOptions);
})
However I quickly realized I had no way to add an audience. So I followed this guide ..
auth0 oidc for blazor
and this github for the actual code I modified to create a custom provideroptions that has an audience string
github repo
And I also had no issues setting it up. However, where I get stuck is how seemingly complicated OneLogin's side of the setup is.
Reading their docs onelogin api auth docs, there are no modern examples of setting it up past the postman import. Downloading the import file offers a fairly organized set of apis however I can't figure out what needs to go where.
First I created an Api Auth Server
{
"description": "API",
"configuration": {
"access_token_expiration_minutes": 20,
"refresh_token_expiration_minutes": 20,
"resource_identifier": "https://localhost:5005",
"audiences": [
"https://localhost:5005/worker",
"https://localhost:5005/user"
]
},
"name": "API"
}
then I created a scope
{ "value": "custom:scope",
"description": "A custom scope" }
then I added api auth server client. I went to the admin panel and grabbed the app id from the url. https://{domain}.onelogin.com/apps/{appId}/edit/#configuration
and added an api auth server
which gave me this back from the postman api
[
{
"name": "TestApp",
"app_id": 1111111,
"scopes": [
{
"id": 172,
"description": "A custom scope",
"value": "custom:scope"
}
],
"api_auth_id": 1246001
}]
So from this point it looks like I have everything I need? Except I still can't get it to create an access token. I go back to my application and use the modified service and add my audience to my appsettings.json
"OneLogin": {
"Authority": "https://{domain}.onelogin.com/oidc/2/",
"ClientId": "{clientId from onelogin}",
"ResponseType": "code",
"DefaultScopes": "openid profile groups",
"Audience": "https://localhost:5005"
Except it still doesn't add the extra audience to the access token causing my api calls to fail when I add the access token inside the header. If anyone can figure out where I've gone wrong I'd be incredibly grateful.
woot. Figured it out myself. I had everything right but I had the audience wrong. In their docs they discuss having multiple audiences like example.com/blah and example.com/bleh but having the audience as just example.com and then having different scopes PER web service actually is working fine.
So when I create example2.com and add it to the audience both my api's will be able to be accessed.
I'm setting up Botium testing freamework to run some tests against my watson based chatbot, I'm encountering Error: WATSON_USER capability required, I'm follwoing the tutorial available here https://chatbotsmagazine.com/10-minutes-codeless-test-automation-for-ibm-watson-chatbots-d71eac9626d7
As part of the error message, it's also suggesting me to use API key, I'm not sure how to get one.
botium-cli emulator --config ./botium.json
Error: WATSON_USER capability required (or use WATSON_APIKEY)
at BotiumConnectorWatson.Validate (/usr/local/lib/node_modules/botium-cli/node_modules/botium-connector-watson/dist/botium-connector-watson-cjs.js:60:55)
at Validate.Validate.then (/usr/local/lib/node_modules/botium-cli/node_modules/botium-core/src/containers/PluginConnectorContainer.js:72:66)
My config looks like:
{
"botium": {
"Capabilities": {
"PROJECTNAME": "****",
"CONTAINERMODE": "watson",
"WATSONCONVERSATION_USER": "*****",
"WATSONCONVERSATION_PASSWORD": "*****",
"WATSONCONVERSATION_WORKSPACE_ID": "****",
"WATSONCONVERSATION_USE_INTENT": false
}
}
}
The capability names in Botium have changed a while ago, you can find documentation on the valid capabilities for the Botium Watson Connector on Github: https://github.com/codeforequity-at/botium-connector-watson
I updated the article you mentioned with the new capability names. The botium.json should look like this (see article):
The error message most likely refers to you requiring a valid username/password (process has changed).
Your IBM cloud username /password is not used for this. When you created the Watson Assistant resource it creates a default credentials for that resource.
At your Watson Assistant skill, select the menu (instead of going into it) and select "View API details".
You will find the IAM apikey. If you have a much earlier instance, it will have username password.
I am not familar with botim, but if it does not have the option to send an API key, then send the username "apikey" and the api key as the password.
I'm playing with the interactive web sdk at https://ucwa.skype.com/websdk. I'm signed in successfully with a Azure AD login. With the F12 Tool I can see, that I have got a valid oauth token.
Now I take this token and trying to get a person object via a GET request like this: _https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me
This is the result:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/111364079681/me"
}
},
"rel": "me"
}
What I expect are more information about me like this:
{
"uri": "sip:xxx#yyy.de",
"name": "john doe",
"emailAddresses": [
"xxx"
],
"company": "my company name",
"workPhoneNumber": "tel:+123456789",
"endpointUri": "sip:xxx;opaque=user:epid:4JNzkgeuabct-CSuIgYV8gAA;gruu",
"_links": {
"self": {
"href": "/ucwa/oauth/v1/applications/113782897528/me"
},
"note": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/note"
},
"presence": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/presence"
},
"location": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/location"
},
"reportMyActivity": {
"href": "/ucwa/oauth/v1/applications/113782897528/me/reportMyActivity"
},
"photo": {
"href": "/ucwa/oauth/v1/applications/113782897528/photos/xxxx"
}
},
"rel": "me"
}
I found out that the result depends on the application id. If I open the Office365 web portal (_https://outlook.office.com/owa) and search for an valid application id with the F12 tool, then I get the expected result. Even with the OAuth token that I got from the interactive web sdk example. So this can not be an security or permission issue??
I grant access to all permissions in the azure management portal.
Also very strange is that I get different status codes with the same oauth token for this two very similar request
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/113782897528/me/presence
-> 200 OK
_https://webpoolam30e08.infra.lync.com/ucwa/oauth/v1/applications/112861033140/me/presence
-> 403 Forbidden
{
"code": "Forbidden",
"message": "The requested operation isn't allowed."
}
So why is there a difference between both applications and what is required to get the same results? Is anything missing in the azure configuration?
Thanks for help
UCWA and to a larger extent Skype for Business Online are in a preview phase which may help explain why you are seeing a different result set between the two applications. When logging into the O365 portal as your user you are most likely getting supplemental information from Exchange or the portal is able to receive more information from UCWA using internal APIs (and permissions) not publicly exposed.
If I remember correctly and your request example above is a follows:
/ucwa/oauth/v1/applications/113782897528/me/presence - O365 Portal
/ucwa/oauth/v1/applications/112861033140/me/presence - Non-Portal
What you are seeing is that Presence is not currently enabled (a better term might be the API is not publicly exposed) for UCWA when using Online clients.
Access to presence is available in preview mode through the "Read/write Skype user information (preview)" Delegated Permission. You might not have access to it, but here's a picture of what it looks like in Azure AD if you do:
I created a UCWA-based native app that connects to SfB Online and allows you to set your presence:
https://github.com/tamhinsf/ucwa-sfbo-console
Just follow the README to register your own app and plug in your settings into my code. I output the result of each API call onto the console so you can see what's going on.
I've also made fork of the Interactive Web SDK Samples you've been using that consolidates the Azure AD settings into a single file. You might want a local copy to more closely inspect and modify the calls:
https://github.com/tamhinsf/skype-web-sdk-samples
Sharing the token like that between applications seems like a security violation. The token is provided for a specific resource and the server likely validates that the token you are providing matches the scopes that the application was created with.
What scenario are you trying to perform by sharing the token?
This is my first time executing a Google Script as an API executable. I am trying to run it from an Amazon Web-Services micro-server within a HTML file on my server directory. Basically the script is as follows:
function doGet(e){
return HtmlService.createHtmlOutput("Hello World!");
};
To do this, I made use of the JavaScript QuickStart tutorial offered by Google here:
https://developers.google.com/apps-script/guides/rest/quickstart/js#step_2_set_up_the_sample
The thing is that whenever I run the executable, I get an error of code 401 telling me that my script is unauthenticated. The error looks like this:
Error calling API:
{
"error": {
"code": 401,
"message": "ScriptError",
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.apps.script.v1.ExecutionError",
"errorMessage": "Authorization is required to perform that action.",
"errorType": "ScriptError"
}
]
}
}
I've tried the following quick-fixes:
Adding the credentials into my Google API Manager with reference to my domain.
Setting the latest deployment of my API executable to be accessible by anyone.
Adding ports to the domain I am running the script from via the API Manager credentials, though it shouldn't be necessary. (I've tested ports 8000, 8080 & 80)
Note also, the domain I am accessing the executable from is given as a plain IP (e.g. XXX.XXX.XXX.XXX). Not sure whether this affects the issue, however I thought it'd be worth mentioning if the error concerns my credential set-up.
We are evaluating adoption of Spinnaker and would like to understand what API, if any, is available for creating Spinnaker resources? If I want to script/templatize the creation of my App within Spinnaker, what is the best way to do this?
As best as I can see at the moment is script the creation of your infrastructure outside of Spinnaker (e.g. CloudFormation), load that in from your AWS account, and then keep a library of pipeline JSON files that can be copy/pasted into the JSON form for pipelines that will be added afterwords.
All of the items that you can manage via the Spinnaker UI (Server Groups, Load Balancers, Security Groups, Applications, Projects, Pipelines) are scriptable via Spinnaker's REST API. The API documentation is a lacking at the moment (but coming soon, stay tuned). For now you can watch the UI's network interaction with the API via developer tools to get example payloads.
For other more static cloud infrastructure (VPCs, subnets, etc) we don't really have a story via Spinnaker's API and would recommend looking at Terraform or CloudFormation
The documentation seems to be outdated. I had a similar problem creating pipeline using pipelines-templates. It worked fine using Deck(UI) where as the pipeline json as described in https://www.spinnaker.io/reference/pipeline/templates/#pipeline-json did not work.
After creating a pipeline from pipeline-template using UI, i analysed the payload and realised the documentation is missing some of the fields in the payload. The payload given below worked fine for me. I would suggest the same, that you should analyse the payload via UI in the browser and use that as reference.
{
"schema": "v2",
"template": {
"artifactAccount": "front50ArtifactCredentials",
"reference": "spinnaker://k8s-bake-approve-deploy-s3-23-oct:latest",
"type": "front50/pipelineTemplate"
},
"application": "v2poc",
"name": "test-6",
"triggers": [],
"type": "templatedPipeline",
"stages": [],
"variables": {
"namespace": "default",
"docker_registry": "docker.io",
"k8s_account": "my-k8-account",
"helm_package_s3_object_path": "s3://spin-helm/node-1.0.0.tgz",
"helm_override_file_s3_object_path": "s3://spin-helm/values.yaml",
"docker_registry_org": "athakur",
"docker_repository": "athakur/node",
"hal_s3_account": "my-s3-account",
"hal_docker_registry_account": "my-docker-registry",
"docker_image_tag": "0.1.0",
"spinnaker_application": "v2poc"
},
"exclude": [],
"parameterConfig": [],
"notifications": []
}