I've followed the Google Cloud AutoML API quickstart of requesting api by using
curl -X POST \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type: application/json" \
https://automl.googleapis.com/v1beta1/projects/kintsugi-415310213303/locations/us-central1/models/TCN1592956918625708154:predict \
-d '{
"payload" : {
"textSnippet": {
"content": "YOUR TEXT HERE",
"mime_type": "text/plain"
},
}
}'
and following link, but I got this error
{
"error": {
"code": 401,
"message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. Se
e https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I referred to Request had invalid authentication credentials. Expected OAuth 2 access token error in cloud speech api, and tried creating another access token with application-default login and got the below error:
{
"error": {
"code": 403,
"message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by
the automl.googleapis.com. We recommend that most server applications use service accounts instead. For more information about service accounts and how
to use them in your application, see https://cloud.google.com/docs/authentication/.",
"status": "PERMISSION_DENIED"
}
}
I've also enabled permissions similar to this: https://github.com/googleapis/google-cloud-php/issues/1722 (AutoML Admin, AutoML Service Agent, AutoML Editor)
I'm the owner/admin of the project. It seems like the tokens are expiring and I may need to implement this server-side.
What should I do now?
Thanks in advance!
Realized I pointed to the wrong json file, re-generated the key (https://cloud.google.com/video-intelligence/docs/common/auth) and dragged/dropped the path directly into the terminal and was able to generate local results.
$ export GOOGLE_APPLICATION_CREDENTIALS=[json path]
Related
I was trying the above api in postman. Here is the request json:
{
"input":{
"text":"Flutter is awesome!"
},
"voice":{
"languageCode":"en-gb",
"name":"en-GB-Standard-A",
"ssmlGender":"FEMALE"
},
"audioConfig":{
"audioEncoding":"MP3"
}
}
for auth, i chose Bearer in postman auth and first executed the following command in my terminal to get the token:
gcloud auth application-default print-access-token
i pasted this token in auth header, and i received the following response :
{
"error": {
"code": 403,
"message": "Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the texttospeech.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "SERVICE_DISABLED",
"domain": "googleapis.com",
"metadata": {
"consumer": "projects/12345678910",
"service": "texttospeech.googleapis.com"
}
}
]
}
}
I am very new to GCP in general and don't know how to navigate this issue. For additional context, i am trying to make a REST API call where i send the text and get a base64encoded string containig audio back. Any help is appreciated.
This is confusing/complex but the error is helpful:
Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the texttospeech.googleapis.com.
NOTE You can try this method using Google's APIs Explorer at this link
text.synthesize.
The issue is that gcloud is an OAuth2 application and tokens issued by gcloud either using gcloud auth print-[access|identity]-token and gcloud auth application-default print-access-token are issued against a Google-managed project (that Google provides for gcloud) and -- importantly -- not one of your own projects.
Google wants to provide gcloud for its users but does not want to provide arbitrary API access (for free) to its users. Hence the "not supported" part of the error.
The solution (as described) is that you should:
Use (or create) your own Google Project
Enable the Text-to-Speech service (API) in this project
Create a Service Account and key
gcloud auth activate-service-account providing the Service Account key
gcloud auth print-access-token to get an access token to invoke the API
See the following link for the steps:
https://cloud.google.com/text-to-speech/docs/libraries
Every user getting registered to the Sandbox gets added to the Platform as an Identity.
How can I get the Identity ID of my user when I log in to the Sandbox environment?
I need this user ID for creating links between identities as is exemplified in this guide after creating group.
Another way is to check request from browser's network after you log in:
https://world-sandbox.oftrust.net/api/me
See the id in response
Using the /me endpoint of Login API in Platform of Trust, you can retrieve the identity ID of the user currently logged in to Sandbox.
Sample request in cURL is:
curl -i -X GET \
-H "Authorization: Bearer eyJ0eXAiOiJ...qW1QhdEsJLNGV2YA" \
"https://api-sandbox.oftrust.net/me"
On success, you should get the following response:
HTTP/1.0 200
{
"#context": "https://standards.oftrust.net/v2/Context/Identity/LegalParty/Person/",
"#type": "Person",
"#id": "33237067-14c3-4801-9e50-bf08406406e2",
"email": "user#example.com",
"role": "developer",
"firstName": "Anna",
"lastName": "Bar"
}
You can get your Bearer token (valid for 24 hours) from the Sandbox environment.
You may need to obtain the identity ID for your user when you are building apps in the Platform and creating authorization flow for the intended users.
You can access the API documentation for Platform of Trust Login API here.
Following the authentication guide for Cloud Run here, I wanted to make a service only accessible by authenticated users.
I created a base service, called helloworld (yes, no originality here), and applied the following policy:
gcloud run services add-iam-policy-binding helloworld \
--member="allAuthenticatedUsers" \
--role="roles/run.invoker"
I then tried to invoke it using the gcloud auth print-identity-token ID Token like this:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://helloworld-*****.a.run.app
All good, the service responds with bearer tokens coming from a #gmail.com account and a GSuite one using gcloud.
As a next step, I followed the end-user authentication guide here and:
created web application credentials in the same project as the Cloud Run service above
redeployed the service to absorb the new Client ID configuration
created a simple HTML page with that Client ID and Google Sign-In logic (like this one)
run a local webserver to serve that page and got a new ID Token
attempted to do the same curl with that very token
This time though, the response was a 401 with the following value in the WWW-Authenticate header:
Bearer error="invalid_token" error_description="The access token could not be verified"
This is the response of the https://oauth2.googleapis.com/tokeninfo API:
{
"iss": "accounts.google.com",
"azp": "*****************.apps.googleusercontent.com",
"aud": "*****************.apps.googleusercontent.com",
"sub": "*******",
"email": "theuser#gmail.com",
"email_verified": "true",
"at_hash": "********",
"name": "********",
"picture": "********",
"given_name": "********",
"family_name": "********",
"locale": "en",
"iat": "1581617530",
"exp": "1581621130",
"jti": "6a0dd7561c0d95f7c92fc29a885039fe3f23db16",
"alg": "RS256",
"kid": "d8efea1f66e87bb36c2ea09d837338bdd810353b",
"typ": "JWT"
}
and the azp and aud values are the same Client ID that is defined as a Web Application credential in the project.
I also tried to add the specific user to the service like this:
gcloud run services add-iam-policy-binding helloworld \
--member="user:theuser#gmail.com" \
--role="roles/run.invoker"
Still no luck... What am I doing wrong?
Thanks to wlhee's input about the issue, I redeployed the service and was able to successfully access it with a token generated using the Client ID from the same project.
Is it possible to access the Google Cloud Scheduler API using an API key?
Method: projects.locations.jobs.create
https://cloud.google.com/scheduler/docs/reference/rest/v1/projects.locations.jobs/create
I am trying to create a Job using curl:
curl -X POST \
'https://cloudscheduler.googleapis.com/v1/projects/my-project/locations/nam5/jobs?key=[MyAwesomeAPIKey]' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"name": "test-awesome-job",
"description": "My first job",
"schedule": "45 23 * * 6",
"timeZone": "utc",
"pubsubTarget": {
"topicName": "projects/my-project/topics/topic-name",
"attributes": {
"name": "39ro"
}
}
}'
but it result in a 401 Unauthorized response:
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
The Cloud Scheduler API uses service account credentials as described in https://cloud.google.com/docs/authentication/production. As the API docs state, a limited number of GCP services support API keys and that does not include Cloud Scheduler.
If you are running the code to interact with the Cloud Scheduler API on App Engine, Cloud Functions, or Cloud Run the service account is built-in and all you need to do is grant that service account permission to interact with Cloud Scheduler via IAM.
The docs have some more streamlined information on getting set up with the Cloud Scheduler client libraries.
I get confused watching the API explorer which suggested as possible credentials
Google OAuth 2.0 or API key and from the "Help me choose" tool from Google Cloud API credentials (https://console.cloud.google.com/apis/credentials), which apparently now reports the correct solution:
For your situation you can use Application Default Credentials,
which provide a simple way to access Google APIs from App Engine or Compute Engine.
previously it showed the API keys as a possible option.
Thanks #Grayside for pointing me out!
JSON response when trying to make an API call. I keep getting "IAM Token passed is invalid."
{
"error": {
"message": "IAM Token passed is invalid.",
"transaction_id": "257a01a1-cfa2-4fbf-b6bc-5abd1fd820f7"
},
"success": false
}
Make sure to renew your IAM Token and not use any previous or someone else's token to make a call.
Following are the CLI commands to follow to log into IBM cloud and generate a new IAM token.
ibmcloud login
ibmcloud iam oauth-tokens
Doc link: https://console.bluemix.net/docs/services/cloud-monitoring/security/auth_iam.html#auth_iam
To work with the API, the user should add IBM Cloud IAM access token in the API request authentication header:
-H 'Authorization: Bearer <IAM_TOKEN>'