Twitter callback not working with Cloud Run - flask

I'm trying to create a website to make F1 predictions with flask
We started developing in Heroku, and the twitter API is already configured, you can check
https://demoflaskdance.herokuapp.com/
But now we are moving to Cloud Run as Heroku does not support pyodbc. We deployed our project, with the same code, and added to apps.twitter.com the urls, but when trying to log in with the link that google provided https://demo-flask-dance-kjomqyaifq-ew.a.run.app
we get an error and says that the URL is not authorized
Any help? Thanks

If your Cloud Run application does not require authenticated access, enable public access.
Go to the Google Cloud Console.
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, allUsers
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Allowing public (unauthenticated) access
If you require authenticated access see this document:
Authentication overview

Related

Unable to protect Cloud Run with cloud.run.invoker permission

I have deployed a simple Cloud Run service with Flask and I want to limit the access to logged users in GCP only.
I have set the "Require authentication" option and added the cloud.run.invoker permission to myself, but I can't access the webserver.
However, if I make a curl request with the Authorization Bearer in it, I can see the HTML of the page. What am I missing in order to see the page in the explorer? I know you could do this with a load balancer but I prefer not to.
My objective is to allow GCP logged users to access a page hosted in Cloud Run
For this to work from the browser directly, you'll need to have an extension or something similar that will modify the HTTP request to add the header - much alike to what you're achieving with curl. This extension may be useful for your use-case.
This is mentioned in GCP documentation right here, just at the bottom of the page.
However this is not ideal, and if you want to authenticate any user coming in from GCP (i.e an internal user), refer to this doc. You can make use of Identity Aware Proxy to create an internal app that any user logged in and given permissions through GCP is going to be able to access.

How to give user access to GCP jupyterlab via "OPEN JUPYTERLAB" link in AI Platform console

... without giving access to everything in project with Roles like Editor.
Apparently giving access to Notebooks Admin is not sufficient. User gets 403 error.
Turns out that authentication for the notebook proxy that is automatically set up by google requires that user has access to use the default compute service account. So, apart from giving proper role like Notebooks Admin. You need to:
Locate the default compute service account for your project
Give user in question access to Role "Use Service Account" on the service account permissions tab.

Permissions denied for Google Cloud Scheduler

I am trying to create a Cloud Scheduler but when I click on Cloud Scheduler, I receive the error: There was an error while loading /cloudscheduler?folder=&organizationId=&project=my+project. You are missing at least one of the following required permissions:Project cloudscheduler.jobs.list
When I check the permissions for the same project in my service account I see I have been granted all Cloud Scheduler permissions. Attached is the screenshot.
The message indicates that the identity that you are using to access Cloud Scheduler does not have the required permission.
I recommend double-checking which identities you are using.
If you are using the Google Cloud Console, there is a person icon located at the top right of your browser. That will tell you the identity that you are using.
The console is basically the user interface that appears after logging from here.
So yes, when you click the hamburger menu, you are in the GCP console.

Enabling Google Platform APIs

I am a total GCP noob - I've literally just signed up to use one of the APIs.
I tried to follow these steps from here , but got stuck when trying to enable the APIs.
I came across this, which tells me: You need permission serviceusage.services.enable on the project and permission servicemanagement.services.bind on the API to enable it.
There is a link with information on it, but this means nothing to me. I have managed to find and IAM & Admin page for my project, but can't find a way to do the above.
All help is appreciated.
To enable the API on you GCP project follow the steps :-
I. Go to dashboard
II. From Navigation Menu go to "API and Services" dashboard and then click on “Enable API and Services”
III. Search for the APIs you need to enable(Cloud IOT, Dataflow API, Cloud Pub/Sub)
IV. Then click on enable API
From "IAM and Admin" page you get the service credentials key or json key which enables you to access you gcp project from command line interface.
To get the service credentials key follow the steps :-
I. Go to the link for getting service key : https://console.cloud.google.com/apis/credentials/serviceaccountkey
II. Under the heading of “Service Account” select a new service account and then give a name to your service account and select the role as owner{Project<Owner}.
III. Under the key type select JSON and click on ‘Create’
IV. A file will be automatically downloaded on your device.

Google Cloud Build - View logs permissions

I am the owner of a project and want to give Permissions to another user to view Logs of Google Cloud Build, but I can not figure out which Role / Permission this user needs.
Roles I've unsuccessfully tried are:
Cloud Build Editor,
Cloud Build Viewer,
Stackdriver Debugger Agent,
Stackdriver Debugger User,
Cloud Trace Admin,
Logging Admin,
Private Logs Viewer,
Logs Viewer,
Monitoring Admin
Google Cloud enterprise support confirmed to me that the only role that currently grants this is the project-level Viewer permission (or Editor/Owner).
One workaround is to set the --gcs-log-dir flag when submitting a build to a bucket you control (rather than the default Google-managed gs://[PROJECT_NUMBER].cloudbuild-logs.googleusercontent.com/ bucket).
They're tracking making a more granular permission in this feature request: https://issuetracker.google.com/issues/134928412, which you can subscribe to updates on.
If you add the project viewer role then this will resolve the issue. But, it seems like this is an issue (or maybe a feature request - to add the necessary permission to the Logs Viewer so that logs outside of the Stackdriver logging page can be viewed in other UIs as well), looking at the documentation it says "roles/viewer (Project Viewer) gives members the same permissions as roles/logging.viewer at the project level. " which means that by just assigning the Logs Viewer then it should have given the user the necessary permission to view the logs at the Cloud Build UI.