I'm attempting to call Google Cloud's signJwt method with Workload Identity Federation with a service account via domain wide delegation. As far as I can tell I'm following Google's instructions exactly but am getting the following error:
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
I'm running the following curl command in the Cloud Shell
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<SA_USERNAME>%40<PROJECT_NAME>.iam.gserviceaccount.com:signJwt"
where request.json contains the following:
{
"payload": "{\"iss\":\"<SA_USERNAME>#<PROJECT_NAME>.iam.gserviceaccount.com\",\"scope\":\"https://www.googleapis.com/auth/gmail.readonly\",\"aud\":\"https://oauth2.googleapis.com/token\",\"exp\":1672868057013,\"iat\":1672868053513,\"sub\":\"<USER_NAME_OF_USER_TO_IMPERSONATE>#<DOMAIN>\"}",
"delegates": [],
}
Why am I getting an invalid argument error?
Try something like this in the request body :
{
"delegates": [
string
],
"payload": string
}
As given in the document:
The sequence of service accounts in a delegation chain. Each service
account must be granted the roles/iam.serviceAccountTokenCreator role
on its next service account in the chain. The last service account in
the chain must be granted the roles/iam.serviceAccountTokenCreator
role on the service account that is specified in the name field of the
request.
The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
Also there is a bug request on it.You can raise a new request if you need it by using the issue tracker.
Related
I am attempting to retrieve event messages from Google pub/sub.
I have tried the following request:
curl -XPOST -H 'Authorization: Bearer ya29AuthToken' -H "Content-type: application/json" -d '{'returnImmediately': false, maxMessages: 10}' 'https://pubsub.googleapis.com/v1/projects/projectID/subscriptions/projectName:pull?key={APIKEY}'
I receive the following response from the server
{
"error": {
"code": 403,
"message": "User not authorized to perform this action.",
"status": "PERMISSION_DENIED"
}
}
What am i doing wrong with this? The API Key is correct and the auth token has not expired.
We have a bucket in Google Cloud Platform to manage pictures.
I am trying to upload a picture to it using Curl.
Respective to the official documentation linked here, this is the Curl-command I used:
curl -X POST --data-binary #cat.jpeg \
-H "Authorization: Bearer A_STRING_SUPPOSED_TO_BE_A_KEY" \
-H "Content-Type: image/jpeg" \
"https://storage.googleapis.com/upload/storage/v1/b/upload_zone/o?uploadType=media&name=cat"
This is the answer we get:
{
"error": {
"code": 401,
"message": "Invalid Credentials",
"errors": [
{
"message": "Invalid Credentials",
"domain": "global",
"reason": "authError",
"locationType": "header",
"location": "Authorization"
}
]
}
}
It seems our key is invalid, we are not sure what to use as Authorization key. Where can we find the OAUTH2.0-key required to make use of the Google Cloud Platform Bucket, do we need to generate it somewhere?
Edit:
We have generated a key using the OAuth 2.0-Playground, and it worked! But the key expires every 3000 seconds...
If you are already authenticated to Google using the gcloud sdk, you can get the key like this:
-H "Authorization: Bearer $(gcloud auth print-identity-token)"
So, using your example above, this should work:
curl -X POST --data-binary #cat.jpeg \
-H "Authorization: Bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: image/jpeg" \
"https://storage.googleapis.com/upload/storage/v1/b/upload_zone/o?uploadType=media&name=cat"
I have been using Google's SDKs to perform API calls such as creating a service account, creating service account keys, get the storage buckets, etc.. Recently I'm unable to create a service account due to the below error.
Request:
curl --location --request POST 'https://iam.googleapis.com/v1/projects/myproject/serviceAccounts' \
--header 'Authorization: Bearer <<token>>' \
--header 'Accept-Encoding: gzip' \
--header 'User-Agent: my test Google-API-Java-Client'
c.g.a.c.g.j.GoogleJsonResponseException: 404 Not Found
{
"code" : 404,
"errors" : [ {
"domain" : "global",
"message" : "Not found; Gaia id not found for email xxxxx#myproject.iam.gserviceaccount.com",
"reason" : "notFound"
} ],
"message" : "Not found; Gaia id not found for email xxxxx#myproject.iam.gserviceaccount.com",
"status" : "NOT_FOUND"
}
Why would I require Gaia id while creating service account? Where can I find this id? Any help is appreciated!!
Did you ever remove the service account 'xxxxx#myproject.iam.gserviceaccount.com' which should be the default service account for IAM API, you can recover it within the 30days after the deletion. or just disable it and re-enable it , will recreate the default service account for you. Let me know if it resolved the issue.
It seems that your request needs to have a body
The request body contains data with the following structure:
{
"accountId": string,
"serviceAccount": {
object (ServiceAccount)
}
}
And it is missing in your command.
You can obtain more information in this documentation.
In your case it should be something like:
curl --request POST \
'https://iam.googleapis.com/v1/projects/my-little-project/serviceAccounts?key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"accountId":"sa-test","serviceAccount":{"description":"sa-description-test","displayName":"sa-display-testonly"}}' \
--compressed
You can test this API directly in the following link
Also, I have found a similar error, in this stackoverflow case according to this answer this error could be generated if the APIs are not enabled.
what is the procedure for getting the list of all the IP address of google compute instances through its API's and how to provide OAuth 2 access token externally
When I am trying to access via the API given by GCP
https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances
I am getting the following error
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
How do i authenticate ?
The easiest way to get an access token for a curl call to a Google Cloud API is to use the Cloud SDK (provided you have it installed and configured).
Once you've confirmed you're logged in with the correct user or service account (gcloud auth list) you can get an access token for a user account by running:
gcloud auth print-access-token
or for a service account you've configured as default:
gcloud auth application-default print-access-token
You'll need to pass that token as Authorization header to authenticate your call. You can integrate the gcloud command in your curl call like this:
curl https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances -H "Authorization: Bearer $(gcloud auth print-access-token)"
You can use jq to parse the response and print only an array of IP objects, for example:
curl https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances -H "Authorization: Bearer $(gcloud auth print-access-token)" | jq '[.items | .[] | {ip: .networkInterfaces[].accessConfi
gs[].natIP}]'
It'll print a response of the form:
[
{
"ip": "XX.XXX.XX.XXX"
},
{
"ip": "XXX.XXX.XX.XXX"
}
]
i have used wso2 Idendity server version 5.7.
i have created token below curl.
curl -X POST \
https://localhost:9443/oauth2/token \
-H 'Accept: */*' \
-H 'Authorization: Basic dUJqVGZncU1vTHpUQWJwU2U3QXhyYzF3cGRvYTpQVjFLM2ZUM1o3Qm9jVFl3dF9wM214ZzYwQVlh' \
-d 'grant_type=password&username=admin&password=admin'
they will giving below response jwt formate.
{
"access_token": "eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhdWQiOiJ1QmpUZmdxTW9MelRBYnBTZTdBeHJjMXdwZG9hIiwibmJmIjoxNTU2NjEyMzAxLCJhenAiOiJ1QmpUZmdxTW9MelRBYnBTZTdBeHJjMXdwZG9hIiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTU2NjE1OTAxLCJpYXQiOjE1NTY2MTIzMDEsImp0aSI6IjBiNDNiNDJhLTNmMGQtNDczZS05MjgwLWYzMDUyOTE5MDA0NSJ9.BxHpuoYJVpDPH4kauU7C6c9eSn-DDO3k40QQjDSBS3g7_dHDRCXvf1xBFe3dxggth-eomvo1kiIGQtC8_VzvL5umvM1VKkL_DqxDyWmM9CtFHj-MkDROS_81ZcWlME6__69vy68l9_cfM7XCUpkJ2JMAeFV2kS2jAvlIpSn3xcJWDMNNhcC60syrua_aATwNot6DQiy032c1uN2KOWEqLbhLMxDrue41jkhlQ7Kt4i-B7J385O7Rvju6bJ6SoTy-zU92ewXwrXctooLGbd_y-MQmXp0PTp2PqmBtgb5Ryrg9An3AbCavEjzYeJbSj2hIsKzU5dpH_KE670gEGW94jw",
"refresh_token": "253c5d9f-4efd-3b63-8451-66a0f83b2c72",
"token_type": "Bearer",
"expires_in": 3600
}
Problem :
1) when i have called any request using Bearer authorization token,giving below error but Basic YWRtaW46YWRtaW4= working fine.
{
"Errors": [
{
"code": "401",
"description": "Authentication failed for this resource."
}
]
}
2) Refresh token giving plain text how to convert jwt formate also.
Just in case if there is user permission issue, you will get
{"Errors":[{"code":"500","description":"User is not authorized to perform provisioning"}]}
Since your error message is
{
"Errors": [
{
"code": "401",
"description": "Authentication failed for this resource."
}
]
}
it is mainly due to invalid access token. You can check it by simply sending some random string as an access token. I would suggest you to check it from client side where you send correct access token or not.