I have a service running on AWS, and I want to publish the message via Pubsub to GCP, so I use the workload identity federation to achieve it. My teammate built a workload identity federation with guidance and generated a JSON file with the type of "external_account." I passed this file with topic id and project id to GCP and tried to publish the message. However, I got an error in service account access token generation.
"message did not publish successfully: message did not publish successfully:
rpc error: code = Unauthenticated desc = transport:
per-RPC creds failed due to error: oauth2/google: unable to generate access token:
Post \"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<topic_id>#<project_id>.iam.gserviceaccount.com:generateAccessToken\":
Get \"http://169.254.169.254/latest/meta-data/iam/security-credentials\":
dial tcp 169.254.169.254:80: i/o timeout”
I don't understand what it means. I can say there's a timeout issue, but why? Can someone help me, please? Please share any ideas you have, much appreciated!
--Update
My teammate created all the steps and I think the things like IAM role is created. I followed this document to verify if it work. And it returns the error above.
Related
I am trying to add an AppFlow connection to an existing GA4 account, GA4 is already up and running and even pushing data to BigQuery.
However, when I try to create the connection in Appflow to start a flow from GA4 to Redshift. I get this error message
An error occured while creating the connection ga4.
Error authenticating to connector: Failed to validate Connection while attempting "ValidateCredentials with CustomConnector" with connector failure The request failed because the service Source Google Analytics 4 returned the following error: Details: Google Analytics 4 returned error message - Request failed with Status Code: 403, Error Reason: Forbidden. (Service: null; Status Code: 400; Error Code: Client; Request ID: null; Proxy: null)
I have followed this documentation. https://docs.aws.amazon.com/appflow/latest/userguide/connectors-google-analytics-4.html
I was able to create a GA UA connection, but it used a slightly different OAuth Configuration.
My GCP App is set to Production and is External, my Google Analytics API is enabled and the OAuth Web Application creds are created, and the Authorized redirect URIs is set to https://us-east-1.console.aws.amazon.com/appflow/oauth as suggested by the documentation.
When I add the clientID and clientSecret to AppFlow's connection and click connect, I get a google login pop up prompt, and when I login in it asks me to allow amazon.com to access my data and pull data etc, which I do allow, then the pop up disappears and the above error pops up in AWS.
We had this issue and received this response from Amazon - after also enabling GA Admin API the connection worked
I would like to inform you that the user has to enable access to "Google Analytics API" as well as "Google Analytics ADMIN API" for successful connection through GA4 connector.
Therefore, I kindly request you to verify and enable both API's mentioned above if not done already.
I understand that the AWS documentation to setup GA4 with AppFlow only mentions enabling the "Google Analytics API" and not the "Google Analytics Admin API". Hence I will ask the internal team to get it updated. I apologize for the inconvenience you faced due to this issue.
We have an application which can be launched via SAML launch. Our customers are using google SAML launch. Recently we have observed few scenarios where SAML launch is missing Userid attribute. Upon detailed investigation we found that referrer url for failed launch is missing "from_login=1" querystring. However, successful launches having "from_login=1" querystring.
I am guessing that failed users are not signing into google and trying to do SAML launch or Somehow google is failing to read cookie because of some browser restriction and not able to send it through. Could someone please guide me on the same?
In AWS API Gateway I am trying to deploy API to new stage, and im getting error "An unknown error occurred". I am assuming it most likely because of permission. But i have API Gateway administrator permissions.
How do find out exactly which permissions are missing? Does aws api gateway logs any deployment related events? Where do i find whats going on.
Answering your question of Api Gateway deployment events, below are typical steps I do on what's happening.
Any operation you perform on Console or SDK is essentially calling AWS APIs.
For Console failures, you can always check on client side by going to Developer Tools provided by browsers. Typically F12 key --> Network tab, replicate the issue and see which AWS Endpoint gave error or go to Console tab and see any JavaScript errors logged.
If I am still not able to determine the cause, I enable CloudTrail logs and see which user and which API call gave any error responses for which operation. CloudTrail Guide to ApiGateway.
If there is specific role or policy issue having issue, I use Policy Simulator to test policies for the role once permissions are added.
I'm having issues performing requests using jest to an AWS ElasticSearch cluster v5.3.
Reason is:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details
I am using windows 10 with java 11, spring boot 2, webflux, jest and the aws http request signer that they point to in their documentation.
I've checked and doubled checked the access and secret keys of the IAM user. I also added policies for the IAM user of full control over the cluster, still the 403 message.
Removing or adding the Content-Length header yields the same error.
Not sure where to go from here.
Any help would be appreciated.
Thx
So from I discovered, is that the network issue had something to do with the corporate proxy. I created a tunnel between my laptop and the ElasticSearch cluster, removed the proxy from the http client used by jest, and things work smoothly now.
I wasn't able to figure out exactly how the proxy affected the request signature though, but I'll stick with the tunnel solution.
I have installed wso2 identity server and logged into wso2 management console. I am trying to import the policies into identity server, but it is showing an error saying that policy uploading failed. EntitlementPolicyAdminServiceIdentityException
Can you please tell me how to resolve this problem. Thanks in advance.
Please let us know the backend error logs that is printed in WSO2 Identity Server console or wso2carbon.log files. I assume this may be due to that your policy may not be valid according to the schema definition.