Is there any way to get the settings data from Google Admin Dashboard. I have a list of policies that need to be satisfied with this.
I've already gone through Google's documentation for Workspace Admin SDK and none of the settings are exposed. Seems as though Google doesn't expose their settings API. I know scraping and then verifying is a possibility but are there any other methods that could be followed to get these settings.
Some examples of the policies include:
Ensure login challenges are enforced
Ensure Google session control is configured
Ensure only authorized third-party applications are allowed
All of these policies are configurable through the UI. But I need a way to programmatically find out whether these settings are configured as they should be.
Related
I'm developing a web application that communicates with Google services (e. g. Gmail and Google Drive). So I have OAuth 2.0 application created in my Google Workspace organization. It requires particular OAuth scopes for correct work.
A lot of people currently use my application. Therefore, I added new features to it recently. However, the end user should grant access to additional scopes to use those features. One possible way to handle this is to ask the user to go to the Google Workspace Admin console (https://admin.google.com/) and find my application in the list of
Google Workspace Marketplace Apps. Then he should manually grant the required Google service APIs (OAuth scopes). But this is not transparent enough. As a result, the user experience is not optimal. Moreover, my application cannot deduce whether the user granted permissions.
The best approach is redirecting the user to the Google consent screen when he opens my web application. As a result, he will be aware of the new functionality and can automatically enable it by granting required OAuth scopes.
How can I obtain the consent screen for my application and the target user organization?
I have deployed a simple Cloud Run service with Flask and I want to limit the access to logged users in GCP only.
I have set the "Require authentication" option and added the cloud.run.invoker permission to myself, but I can't access the webserver.
However, if I make a curl request with the Authorization Bearer in it, I can see the HTML of the page. What am I missing in order to see the page in the explorer? I know you could do this with a load balancer but I prefer not to.
My objective is to allow GCP logged users to access a page hosted in Cloud Run
For this to work from the browser directly, you'll need to have an extension or something similar that will modify the HTTP request to add the header - much alike to what you're achieving with curl. This extension may be useful for your use-case.
This is mentioned in GCP documentation right here, just at the bottom of the page.
However this is not ideal, and if you want to authenticate any user coming in from GCP (i.e an internal user), refer to this doc. You can make use of Identity Aware Proxy to create an internal app that any user logged in and given permissions through GCP is going to be able to access.
I have an application that can manage Google Calendar within the Google Workspace of the company. The application contains more than one company.
I want to use domain-wide delegation. As described here or here admin of the workspace needs to add service account id and scope manually.
Is the way to do this programmatically?
After some research and also looking into Google Workspace's Admin SDK documentation here and here this does not seem to be an available option at the moment.
You may want to submit a feature request here for that.
For service or local applications, the admin has to manually generate the service account and grant this service account with domain-wide authorization. There is no way to do this programmatically (unless for pure SaaS applications).
I've got a GCP project shared with me with the "project owner" access.
So, I can open and manage the "Identity Platform" users.
But I can't open the "Tenants" page (it's loading infinitely).
So, maybe it requires some additional roles, although I'm an owner of the project and I have the following roles assigned:
App Engine Admin
Cloud Build Editor
Cloud Scheduler Admin
Environment and Storage Object Administrator
Cloud Datastore Owner
Firebase Admin
Logging Admin
Google Cloud Managed Identities Admin
Admin of Tenancy Units
Storage Admin
Storage Object Admin
Storage Transfer Admin
Some people also suggest to open the page in incognito mode, but unfortunately it, not my case.
I also have noticed that "Tenants" currently in the BETA stage.
But I'm not sure if it's related somehow.
Thanks.
UPDATE:
Does it make sense to use Tenants in Google Identity Platform?
I'm owner of my project and the tenant work well. You should lack of some permissions (and it's very hard to find information. I'm in contact with the PM, I will try to know more)
About the relevance of tenant, all depends of your use cases. If you have user from different context/customer and you want to manage authentication in different manner according to this context.
If a customer don't pay, you can also deactivate a tenant, and you can disrupt the authentication (and thus the service) until the payment.
Your use case has to make sense, not the technical capabilities.
UPDATE
About permission, there is not yet predefined roles and you have to build a custom role for this. The list of permission are the same as for firebase
I am trying to programmatically add users to a "Simple AD" in the AWS Directory Service. There is indeed an API for managing the directory itself (http://docs.aws.amazon.com/directoryservice/latest/devguide/API_Operations.html), but I am unable to find anything similar for managing the users of the directory. Is there any way to do this via an API?
The Directory Service documentation suggests that the supported method of management is not via AWS APIs but rather via Active Directory management tools, simply connecting to the domain controllers. There is one user management endpoint in the DS API, namely ResetPassword. The WorkSpaces console (but not the API) allows user creation, and while the WorkDocs API appears to allow user creation, deletion, etc. it seems that those operations are only possible when the directory is enabled for WorkDocs, which may not be desirable if you're not actually using the service.
There is no API for that.
You must use Microsoft's tool for managing Active Directory users / groups.