Authentication in the Google Analytics API - authentication

We currently have an account with our company that we use to collect some information from the GA account of our customers.
This account is an #ourdomain account.
We intend to automate these queries by performing them via the GA API.
When creating an authentication key, an account is automatically created # query-domain-domains.iam.gserviceaccount.com.
I ask, is it possible to create an authentication key (JSON) for the account that is already readable in our client accounts, or will we have to ask the more than 1000 domains to add permission to our new user?
Thank you for any help.
Eduardo

To give permissions to a new user account you have to have permissions in the first place, so you cannot create a new service account that already has them.
However if your already have a user account with user management permissions you can use that to insert the service account programmatically via the Management API.

Related

How to configure Auth0 to authenticate with other companies Azure Active Directory?

I have Auth0 configured with Social Connections > Microsoft Account.
This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah#gmail.com
However, when I try to authenticate with my work account blah.blah#myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with
"That Microsoft account doesn’t exist. Enter a different account or get a new one.":
I thought given the Microsoft settings it would allow it connect.
How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?
Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?
Is there a way to configure this without having to upgrade to Auth0 Enterprise?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.
For sample I used the below endpoint to authorize the users:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I tried to sign-in with the personal account, the user logged in successfully like below:
And now I tried to login with other tenant user like below:
By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.
To limit the feature to specific companies AAD, check this blog.
Auth0 Enterprise is required to authorize tenants to the Azure AD Application.
For more in detail, refer below MsDocs:
Use tenant restrictions to manage access to SaaS apps - Microsoft Entra
Multi-tenant application with a whitelist on tenants authorized by Marshaljs
Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).
Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user#tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.
If you want users in tenantB to sign in your app with account like user#tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user#tenantB.onmicrosoft.com can sign in this application.

GmailAPI with access to only one account (Server to server)

I want to create ticket in our system when somebody sends email to support#mydomain.com. I'm using GmailAPI to read new messages from that gmail account.
Currently I'm using service account and domain wide delegation (DWD) for authentication.
The problem is that with DWD I can access all user accounts from my organization and this is what I want to avoid.
Is it possible configure service account this way, so that it has access to only one user account? Or can I generate and use private key for single user account instead of service account with DWD?

Accessing a Postgres SQL Server from a Google cloud (gcp) account using another Google cloud (gcp) account which has a virtual machine

I have a Postgres SQL Server in my Google cloud account (account a). I can access it using the external IP address locally or using the internal IP address from one of my virtual machines.
I have a friend who has another google cloud account (account b). He can't access the account unless I white list his VM's ip address. Is there another way he can access my SQL Server such as adding or changing the IAM permissions?
You can use Cloud SQL IAM database authentication. Note that this feature is on Pre-GA and it is only available for Cloud SQL with PostgreSQL but basically Cloud SQL is integrated with IAM to help you better monitor and manage access for users and service accounts to databases.
Something other thing to take into consideration is that at this time groups are not supported, only direct user and service accounts are (i.e., indirect users via groups is not supported). You will need to give your own user account the "Cloud SQL Instance User" role as well as those user accounts in that group that will use IAM based authentication to the Postgres instances in this project configured to use IAM based authentication. Note that you need at least one individual user account assigned this role in the project - you cannot just have service accounts.
On the other hand, make sure that the Postgres instance you are attempting to add a user to has been set with the flag cloudsql.iam_authentication as per the instructions here.
Next, you should be able to add the user and Service Accounts granted the "Cloud SQL Instance User" role via the 'Add User' interface as described here.
Finally, you'll need to GRANT each user/Service Account appropriate permissions on the schemas it should have access to, pay attention to the fact that the full email address of the user or Service Account is required as outlined here.

How to programmatically create Google service account credentials?

I have a desktop application which I want to create a new service account for each user of my application.
Is there any API for creating the service account users on the fly?
Scenario: For each user, I want to give service account, and give this service account the data that this user needs.
The point is that I want to give every user some specific data from Google Cloud, but I want the user to get it directly from Google. I cannot use the user account, because I am not sure he have google account.
You can use the Google Identity and Access Management (IAM) API to programatically create service accounts.
However, creating a service account for each of your application's users is expensive and not scalable. Perhaps your service can have a single service account and then the service can control which of the resources that the user may access.
There is no Google Api that allows you to control projects on Google Developer console. The only thing that comes close is the Google Cloud Resource Manager API which is extremely limited in what it supports. You cant use it to create a service account.
Answer: The only way to create a new service account is to log in and do it though the Google Developers console.

Google AdEx Seller API doesn't support Service accounts

I want to pull periodic reports via Google Seller API. Is there a way, to login into Seller account without having to go via regular OAuth redirection ?
It would make no sense to try to use a service account to access AdEx, which is owned by a user account. You need to obtain a refresh token for the user account, store it somewhere, then use it to obtain an access token whenever you need to access the API. This answer gives the steps to follow How do I authorise an app (web or installed) without user intervention? (canonical ?)