I am getting the following JSON exception while I am executing the query using the java application for Big-Query API. Following is the exception I am getting:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "accessDenied",
"message": "Access Denied: Job eco-span-847:job_LyHmZIvlY1_0J8JQ3pxThEBf19I: The user does not have permission to run a query in project eco-span-847"
}
],
"code": 403,
"message": "Access Denied: Job eco-span-847:job_LyHmZIvlY1_0J8JQ3pxThEBf19I: The user does not have permission to run a query in project eco-span-847"
}
}
Why is this occurring and how could I resolve this?
To insert a query job in a project the calling user must be at least a Reader on the project.
When using the BigQuery API, you need to construct the client with OAuth credentials for some user. For programmatic access, this is often a Service Account identity. When you create a new Service Account, that account is not automatically added a membership role to your project.
To update the users and service accounts that are members of your project, go to https://console.developers.google.com/ for your project, select "Permissions" in the navigation panel, and make sure the user or service account identity you are calling with is a "Reader" on the project.
Check email/service account is it added in google cloud's IAM&Admin.
Verify the role/permission to use certain api. access control
If above are not met, communicate with the Owner/Admin of the project to add them in.
Related
I'm trying to get data with SharePoint REST API but stucking with "System.UnauthorizedAccessException" error.
How can I fix this?
What I did is...
I got access token.
POST https://login.microsoftonline.com/{{tenantName}}/oauth2/v2.0/token
I tried to get sharepoint list items with the access token I got.
GET https://{{xxx.sharepoint.com}}/sites/{{sitename}}/_api/web/lists/GetByTitle('CSV')/items
With the 2nd command, I got error message like below.
"odata.error": {
"code": "-2147024891, System.UnauthorizedAccessException",
"message": {
"lang": "en-US",
"value": "Access denied. You do not have permission to perform this action or access this resource."
}
Check whether the site you requested matches the scope set by app permission xml.It is possible that the scope does not match and the requested site fails to authenticate the request.
I need to test with PostMan the API
https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http
But always return 403...
{
"error": {
"code": "Forbidden",
"message": "",
"innerError": {
"request-id": "76cf26ec-0be3-4b51-a8a8-5c70d71e426c",
"date": "2020-05-25T15:38:50"
}
}
}
I have follow this articole to setup postman microsoft article and all work very well, except this API, and I don't understand why
For this problem, it was caused by the app doesn't have permission to create online meeting. When you click the "Get User Access token" in your postman, it will get the access token which includes the permissions you added to the app before. If you want to test the create online meeting api, you need to go to azure portal and add appropriate permissions for it. Please refer to the steps below:
1. Go to azure portal and click "Azure Active Directory" --> "App registrations" --> "All applications". Search the app by the ClientID which you set in your postman for the graph environment.
2. In you registration app, click "API permissions" and add the OnlineMeetings.ReadWrite permission for it.
After add the OnlineMeetings.ReadWrite permission, don't forget grant admin consent for it.
3. Now you need to get the user access token again in your postman, please click "Get User Access Token" in your postman. You can check the permissions by copy the access token to this page, it will parse the access token and you can check if the token contains the OnlineMeetings.ReadWrite permission.(As add the permission to access token requires a few minutes, so you'd better parse the access token to check if it contains the permission)
4. Then you can test this api in your postman (below I provide a create online meeting sample for your reference).
Problem: cannot access Google Analytics View using API service (json credentials)
PHP Fatal error: Uncaught Google_Service_Exception: {
"error": {
"code": 403,
"message": "User does not have sufficient permissions for this profile.",
"errors": [
{
"message": "User does not have sufficient permissions for this profile.",
"domain": "global",
"reason": "forbidden"
}
],
"status": "PERMISSION_DENIED"
}
}
Detail: When creating a Google analytics account via "Google Account A [analytics]" and creating an API service "Google Account A [developer console - JSON credentials] I can access Analytics data using the API.
I've been given access (Edit, Collaborate, Read & Analyse, Manage Users ) to "Google Account B [Analytics]. Logged into a web browser I can access and see the GoogleAnalytics of Google Account B and have setup a 'Custom View' to access Custom dimensions.
(GA A [Analytics] -> GA A [Dev console]) --- Access OK
(GA B [Analtyics] -> GA A [Permission granted] -> GA A [Dev console]) --- Error
I am assuming if Google Account B created an API service and passed the credentials.json key file things would run smoothly. I want to use this as a last resort as the client will have no idea how to set this up.
I am looking for a reason (and solution to) why Google Account A can see the analytics view of (Google Account B) but the API service of Google Account A cannot access the view.
Original setup/testing: Google Analytics UserID API extraction
Thanks in advance
Answer: A service account in Google API (that is created when setting up the API project) is associated with a user.
This particular user must also be granted access by the owning Google Analytics account.
i.e. Service account xxxx.yyyy#googlepais.com that is created when
setting up a Google API service account.
Something sounds so simple but I was under the impression that since this account was created by a main Google account that already has access that these permissions were implicitly inherited... Not the case but kind of makes sense. And provides a lot more fine grained control.
Once this was granted the API extracted the correct information.
I deployed my microservice over master tenant and subscript it onlty to subtenant.
If I call:
GET https://subtenant.cumulocity.com/service/mymicroservice/health i get Status Code 200 and UP
However if I call:
GET https://subtenant.cumulocity.com/service/mymicroservice/myendpoint/data
I get Status Code 500 and
{
"timestamp": 1534235792950,
"status": 500,
"error": "Internal Server Error",
"exception": "com.cumulocity.sdk.client.SDKException",
"message": "Http status code: 403\n{error=\"security/Forbidden\",message=\"Access is denied\",info=\"https://www.cumulocity.com/guides/reference-guide/#error_reporting\",details=\"null\"}",
"path": "/ mymicroservice /data"
}
When I subscribe to the master tenant, the microservice is working fine! It seems that the user of subtenant is not allowed to access the Cumulocity APIā¦ I also checked the user and the role. The access rights are all granted. How can i access my microservice at subtenants?
I solved the problem by my self. I made a mistake; i forgot to add a role to the manifest to requiredRoles. It was also not working in master tenant.
I was able to retrieve access-token using Google Service account but when I tried to use the same access-token to retrieve GooglePlus User Profile API I'm getting the error mentioned below:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Not Found"
}
],
"code": 404,
"message": "Not Found"
}
}
I used scope value as https://www.googleapis.com/auth/plus.me while retrieving access-token using Google service account and I was able to fetch access-token, but then if I try to use the same access-token to request User profile API- I.e
https://www.googleapis.com/plus/v1/people/me?prettyprint=true I get the error above.
Can anyone help me on this?
This is most likely because the account that has done the authentication does not have a Google+ account/profile. For testing, you may wish to replace the "me" with the profile ID in question to verify this. In production, of course, you should catch this error and indicate that they don't have a Google+ profile.
If you need to check for a Google login, even if they don't have a Google+ profile, you can use the https://www.googleapis.com/auth/userinfo.profile scope. See https://developers.google.com/accounts/docs/OAuth2Login for more details.