I am trying to add an AppFlow connection to an existing GA4 account, GA4 is already up and running and even pushing data to BigQuery.
However, when I try to create the connection in Appflow to start a flow from GA4 to Redshift. I get this error message
An error occured while creating the connection ga4.
Error authenticating to connector: Failed to validate Connection while attempting "ValidateCredentials with CustomConnector" with connector failure The request failed because the service Source Google Analytics 4 returned the following error: Details: Google Analytics 4 returned error message - Request failed with Status Code: 403, Error Reason: Forbidden. (Service: null; Status Code: 400; Error Code: Client; Request ID: null; Proxy: null)
I have followed this documentation. https://docs.aws.amazon.com/appflow/latest/userguide/connectors-google-analytics-4.html
I was able to create a GA UA connection, but it used a slightly different OAuth Configuration.
My GCP App is set to Production and is External, my Google Analytics API is enabled and the OAuth Web Application creds are created, and the Authorized redirect URIs is set to https://us-east-1.console.aws.amazon.com/appflow/oauth as suggested by the documentation.
When I add the clientID and clientSecret to AppFlow's connection and click connect, I get a google login pop up prompt, and when I login in it asks me to allow amazon.com to access my data and pull data etc, which I do allow, then the pop up disappears and the above error pops up in AWS.
We had this issue and received this response from Amazon - after also enabling GA Admin API the connection worked
I would like to inform you that the user has to enable access to "Google Analytics API" as well as "Google Analytics ADMIN API" for successful connection through GA4 connector.
Therefore, I kindly request you to verify and enable both API's mentioned above if not done already.
I understand that the AWS documentation to setup GA4 with AppFlow only mentions enabling the "Google Analytics API" and not the "Google Analytics Admin API". Hence I will ask the internal team to get it updated. I apologize for the inconvenience you faced due to this issue.
Related
Good day. I need help with integration of RazerID into my app as custom OIDC provider in Cognito. I have done all the configurations in the user pool and when I try to log in through Hosted UI it redirects me to Razer page, then I log in, it redirects me back to localhost callback with an error message:
http://localhost:3000/?error_description=invalid_token_signature%3A+Could+not+match+the+desired+key+identifier+within+the+list+of+keys&error=invalid_request
I check the network section I am getting the code and state
Identity Provider Configuration
App Client Settings
RazerID manual: PDF
How can I get the RazerID working properly?
We have an application which can be launched via SAML launch. Our customers are using google SAML launch. Recently we have observed few scenarios where SAML launch is missing Userid attribute. Upon detailed investigation we found that referrer url for failed launch is missing "from_login=1" querystring. However, successful launches having "from_login=1" querystring.
I am guessing that failed users are not signing into google and trying to do SAML launch or Somehow google is failing to read cookie because of some browser restriction and not able to send it through. Could someone please guide me on the same?
I have a service to service set up that I completed using the google cloud tutorial (https://cloud.google.com/run/docs/authenticating/service-to-service#nodejs)
Changed the cloudrun Service account to have roles/run.invoker (they both share the same role)
Make a request to get the access token: http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=https://XXXX-XXXX-XXXX-xx.a.run.app'
(failing) Use that access token to make a request at https://XXXX-XXXX-XXXX-xx.a.run.app/my-endpoint with the access token: axios.post('https://XXXX-XXXX-XXXX-xx.a.run.app/my-endpoint', {myData}, {headers: {Authorization: 'Bearer eyJhbGciOiJSUz.....'}})
However, on step 3, making the call to my service, I receive a 403 error, any thoughts on what I missed?
Note: I have tried deploying my invoked service with --allow-unauthenticated and without it. I am not using a custom domain, I am using the CloudRun created url.
PS: If I change the ingress from internal and load balancer to all it works, however I'm not sure if this is correct to do.
The HTTP 403 Forbidden error message when accessing your Cloud Run service means that your client is not authorized to invoke this service.
You have not granted the service account permission to call the receiving service. Your question states that you added roles/run.invoker but the error message indicates you did not complete this step correctly.
Go to the Google Cloud Console.
Select the receiving service (this is the Cloud Run service you are calling).
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, enter the identity of the calling service.
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Note: When requesting the Identity Token, do not specify the custom domain. Your question's wording is confusing on that point.
[UPDATE]
The OP has enabled internal and load balancer. This requires setting up Serverless VPC Access.
Connecting to a VPC network
Solution was to add a VPC Connector and route all traffic through it. I added this to the deploy script --vpc-egress all-traffic. Originally I had --vpc-egress private-ranges-only to connect to redis MemoryStore, however this was insufficient to connect to my other service (internal only ingress).
Credit to excellent insight from #JohnHanley and #GuillaumeBlaquiere
Interesting Note About NodeJS: My container wouldn't start when I switched the --vpc-egress to all-traffic, and I had no idea why because there were no logs. It turns out running node v16.2 caused some weird issues with --vpc-egress all-traffic that I couldn't debug, so downgrading to 14.7 allowed the container to start.
We have setup WSO2 API-M v2.1.0 with API-M Analytics v2.1.0 with Postgresql and HAProxy on CentOS. The API analytics reports are being shown as expected from the Publisher and the Store side and even the api availability from the Admin Portal.
This is a distributed set-up comprising separate publisher, store, key manager, traffic manager, gateway manager/worker and analytics. Consul service discovery is providing local DNS resolution.
On the gateway worker we have enabled log analyzer; also HAProxy is forwarding /portal and /shindig to the Admin Portal publisher node.
Also note the publisher was started on its api-publisher product profile, however this resulted in missing alert configurations, see
jira issue.
This is easily resolved by reverting to the default profile; still none of the log analyzer links are being populated when logged into the Admin Portal application.
When attempting any of the Log analyzer links from the Admin Portal the browsers javascript console is displaying the following errors :
"Failed to preload gadget https://<HOSTNAME>/portal/store/carbon.super/fs/gadget/LiveLogViewer/index.xml."
and
"Detailed error: 503 Unable to retrieve spec for https://<HOSTNAME>/portal/store/carbon.super/fs/gadget/LiveLogViewer/index.xml. HTTP error 503"
From the analytics carbon console I can validate my gateway log analzyer configuration from the data explorer seen here
The docs seem to suggest the need to edit js code for the log analyzer??
While creating a platform application when I tried to create application and push notification platform select GCM then add API key I got the following.
Invalid parameter: Attributes Reason: Platform credentials are invalid
(Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter;
Request ID: 44a04d15-c58b-5bf8-859e-0311947aac6c)
What does this mean and how can I fix this?
I got exactly same error message as yours. It seems google is migrating Firebase Cloud Messaging (FCM) to Google Cloud Messaging, and the API Key created via Credentials in API Manager of Google Cloud Platform is not working.
And here is how I get it to work.
Go to Firebase Console and import Google Cloud Project.
Go to Project settings on Firebase Console and you should see the Web API
Key of your project.
Go back to your Google Cloud Platform, and go to Credentials of API Manager, you should see there are two API keys have been generated. Browser key (auto created by Google Service) and Server key (auto created by Google Service)
The Server key (auto created by Google Service) is what you need to
use on the Amazon SNS.
Hope it can resolve your problem, and hope it is only a temporary solution that after Google done the migration, we can directly use the API key created in API Manager.