I have Google app engine application that uses google cloud sql, it works locally but when deployed on the google app engine cloud I get access denied. locally i have defined ip address to access sql cloud and for the app engine app the application id is define. is there any other config that is missing, why the code is not working deploy on the google cloud?
Are you using a password? Don't. When app is deployed in GAE and you use a password for cloud sql it will give you an access denied error. If you null out your password before you deploy, it will work. The password is only required if you are not using GAE.
There might be a few reasons that are preventing your GAE instance to connect to your GCS instance:
The App Engine app is not configured to have permissions to GCS
Your GCS url is not in the form: /cloudsql/your-project-id:your-instance-name
Your MySQL user was not created using the Cloud SQL administration console.
You are using a password to connect (you shouldn't)
Related
I created a Managed Notebooks instance using the Compute Engine Service Account. I have some python code which reads from a BigQuery table and does some processing. I did 'gcloud auth application default login', logged into my google account, and then was able to access that BQ table (which otherwise gave access denied error).
Now, I want to run this notebook using the Executor. However, I get access denied errors since the Executor runs the notebook in a tenant project. This page mentions
Also, the executor cannot use end-user credentials to authenticate access to resources, for example, the gcloud auth login command.
To resolve these issues, in your notebook file's code, authenticate access to resources through a service account.
Then when you create an execution or schedule, specify the service account.
How do I authenticate access to resources through a service account? I tried setting the compute engine service account as the service account to be used in Executor settings, but it still gives me access denied error for that BQ table. What can I do within my code that is similar to running 'gcloud auth application default login'?
I am not able to use Firebase Storage however I am using Identity Platform (firebase auth). Once a user is logged in to my web application, I would like them to be able to upload to a Cloud Storage bucket. The current way I am thinking about doing this is by have a Cloud Function which first uses firebase admin library to verify the token of the user and then generates a signed-url for the upload.
Is this the correct method for doing this?
Google Cloud Identity Platform uses the same SDKs and most of the same back-end as Firebase Authentication. The main difference in is the set of features it supports, and its pricing model.
If your project is set up for using Cloud Identify Platform, you can still use the Firebase SDKs for Cloud Storage to upload, and use Firebase's server-side security rules to control read/write access for it. A common security model to get started with is content-owner only access.
I have experience in integrating AWS cognito with Azure AD (SSO). But I don't know how to implement similar authentication in GCP.
I want to authenticate the users in Azure AD to use the custom web app deployed in Google cloud run.
I see three options in GCP, but I couldn't find any resource to implement.
Google cloud identity
Google cloud identity platform
Firebase Authentication
This custom web app should only authenticate the Azure AD users in our organization.
Google Cloud Identity Platform and Firebase Authentication are effectively the same thing. There are a few additional features in GCIP.
To set up GCIP for Microsoft user, here's a link to the docs.
If you're using Cloud Function for Firebase, you can use a Callable Function to get the authenticated user, then handle your own authorisation.
If you want to use Cloud Run, then you can use the Firebase Admin SDK (even with GCIP) to verify the token and get the user ID (which you can then use to authorise the user via a database or with Custom Claims).
I want to restrict the access of google app engine apps only to users in my organization. Also, I want them to be able to access these without connecting to the organization's VPN
I am using python 3.7 runtime and standard environment for apps deployed on app engine
Using login: required handler is deprecated in python 3 runtime
handlers:
login: required
Is there a similar and ready to use alternate to this?
You can take a look at Identity Aware Proxy. Visit this link for a quick tutorial.
A benefit with IAP is that you don't need to make any changes to your application for it to work. All requests to your application will get authenticated with a google account and reach your code only if the user is logged in with a valid google account with IAP-secured Web App User role assigned.
You can create a Google Group in your organization's G Suite which contains all the users in the organization and assign the IAP-secured Web App User role to it. Then only users in your organization will be able to access the application.
I'm writing a web application and I want to get all users using Azure Graph API. Which permissions are required. Does admin have to consent?
At the very least, your application would need Read Directory Data permission that you will setup in Azure Portal when configuring your application.
Does admin have to consent?
Yes, the admin would have to consent.