curl -X "POST" "https://my.tapkey.com/api/v1/owners/xxx/grants/xxxx/revoke" \
-H 'Authorization: Bearer xxxx'
I get
{"Message":"The requested resource does not support http method 'POST'."}
I created a grant and I wanted to delete it because I was testing. I thought that revoke can be something similar. I guess I am wrong about the grant concept here.
Is there a way to delete grants?
Why the error message is telling me that the revoke endpoint does not support POST?
As specified in the documentation for this endpoint, you need to specify dryRun query parameter.
https://my.tapkey.com/api/v1/owners/xxx/grants/xxxx/revoke?dryRun=false
Related
We are trying to upload files to GCP bucket using the below cURL
curl -v --location --request POST 'https://storage.googleapis.com/upload/storage/v1/b/<bucketName>/o?uploadType=media&name=<path>' --header "Authorization: $AUTH_HEADER" --header 'Content-Type: application/java-archive' --data-binary '#'${OBJECT_NAME}
Currently we are generating AUTH_HEADER using gcloud auth print-access-token but this seems like a short lived token. Is there any way we can generate permanent token? Actually we are trying to automate upload process using CI/CD pipelines. If we could get a permanent access token we can encrypt and use it on the CI job itself.
access tokens are short lived by design. It comes back to the fact that access tokens are bearer tokens and will work for the bearer of the token until the token has expired with out any extra security checking. This means if you have a permeant access token and its stolen then the person stealing it is
With gcloud I am logged into a terminal window with my email address, me#gmail.com. This project has the Gmail API enabled, and I am owner of this config. gcloud auth list shows
`Active Account`
`*me#gmail.com`
gcloud projects get-iam-policy $PROJECT shows that me#gmail.com as owner
I have an Oauth client/secret created in the project. My intent it to generate an access token to authenticate to the gmail API via the terminal with
`curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://gmail.googleapis.com/gmail/v1/users/me/labels`. (me is my actual email address)
Doing so gives me a 403. I can, however, use https://developers.google.com/oauthplayground/
and get a token with my particular scopes fine. Do I need to pass the Oauth Client Id to print-access-token? Why wouldn't owner have permissions over all possible actions in an API that's enabled?
EDIT: I have tried logging with auth application-default credentials as well with the same result.
TIA
You don't have the correct scope. You need to correctly scope your credential. Start by using this command to add the scope that you want in your credential
gcloud auth application-default login \
--scopes='https://mail.google.com/',\
'https://www.googleapis.com/auth/cloud-platform'
Then use the application-default access_token to call your service
curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
https://gmail.googleapis.com/gmail/v1/users/me/labels`. (me is my actual email address)
It should work better.
I want to be able to invoke a GloudRun endpoint by one of my GKE pods.
When I describe my VMs/instances that comprise my GKE cluster, I see
serviceAccounts:
- email: 873099409230-compute#developer.gserviceaccount.com
So I added the CloudRun Invoker role to the above service account.
I have enabled CloudRun with Authentication Required.
However when I exec to one of my pods and try to curl the endpoint I get 403 (which I also get from my laptop, but the later is expected).
Any suggestions?
Curl don't know Google Cloud security. I mean that cURL don't know how to add the security token to your request. For this, you have to explicitly add the token in the header of your request.
From my computer I use this, because it's my personal account which is defined in Gcloud SDK.
curl -H "Authorization: Bearer $(gcloud config config-helper --format='value(credential.id_token)')" <URL>
With a service account defined in gcloud, you can use this command
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <URL>
In both case you have to add the authorization header to your request.
In your code, if you use google libraries, you can use default credential, your default compute service-account will be used. cURL don't know do this!
I was checking out a couple methods from amazon-api-gateway-developer-guide and I stumbled with api-gateway-export-api, I managed to get the AWSCLI command (aws apigateway get-export --parameters extensions='apigateway' --rest-api-id abcdefg123 --stage-name dev --export-type swagger latestswagger2.json --profile profile --region us-east-1) working by adding the --profile and --region parameters, but for whatever reason I can't get the Request URL to return the API definition response.
I am trying to do the following couple things (Postman):
GET request with the URL: https://apigateway.us-east-1.amazonaws.com/restapis/abcdefg123/stages/dev/exports/oas30
Add authorization type AWS-Signature to the request with all the
parameters filled (AccessKey, SecretKey, AWS Region,
Service Name and Session Token)
The Authorization, x-Amz-Date and x-Amz-Security token are generated successfully, as far as I can tell
I am also sending a the headers Host (apigateway.us-east-1.amazonaws.com) and Accept (application/yaml)
This results in the following error:
{"logref":"2734hu2r2873","message":"User:
arn:aws:sts::7216832187:assumed-role/DEVELOPER/xxxx is not authorized to perform:
apigateway:GET on resource:
arn:aws:apigateway:us-east-1::/restapis/abcdefg123 /stages/dev/exports/oas30"}
I was actually getting the same error with the AWSCLI command before I added the --profile and --region parameters. I already checked out a couple posts about issues like mine, this one is an example export swagger api definition from api gateway via http request?, but I am doing basically the same thing (sending the same headers, same host and URL) and getting this error. I don't think my access key, secret key, token or any of that information might be wrong... because it's the credentials I use for the AWSCLI command.
Thank you for the taking the time to read and/or reply to my post, I really appreciate any feedback in anything.
The point of trying to get this request to work is that I wanted to add it as an HTTP proxy to an API, unfortunately I couldn't get it to work.
My problem was that I have a couple profiles in my session and each one of them has different permissions, I found no way to specify the profile I wanted to use in the request and thus it caused the error mentioned above.
In the end I opted to write a Lambda function with proxy integration and everything went fine, after giving the lambda profile the apigateway:GET permission.
If I have a misconception about anything I wrote about or I am using a term in an incorrect way please correct me, I am still fairly new to AWS and have a lot to learn!
I am trying to call the IAM api using curl, specifically the organizations.roles.list method.
https://cloud.google.com/iam/reference/rest/v1/organizations.roles/list
From the docs, my request should be constructed like this:
https://iam.googleapis.com/v1/organizations/<org-id>/roles
However, calling it results in this error:
{ "error": {
"code": 404,
"message": "Method ListRoles not found for service iam.googleapis.com",
"status": "NOT_FOUND" } }
Full request: curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://iam.googleapis.com/v1/organizations/<org-id>/roles
What am I doing wrong?
According to the docs, the endpoint https://iam.googleapis.com/v1/organizations/<ORG_ID>/roles is used to list the roles defined at the organization level (i.e. custom roles).
To get the list of default roles (pre-defined roles, curated roles, whatever you want to call them...), you must call the API without specifying any resource:
curl -H"Authorization: Bearer $(gcloud auth print-access-token)" https://iam.googleapis.com/v1/roles
So, to get the complete list of roles in your resource (be it a project or an organization), you have to get the curated roles and aggregate them to the custom roles defined at the resource level, and the custom roles defined on the parent resources (so, to get the roles in a project, you get the curated ones+project custom roles+parent org custom roles).
As to the error you were receiving, I'm not receiving it now when testing it. I've run some tests and I'm receiving:
403 when I don't have the proper permissions
200 with empty response ({}) when there are no custom roles defined
200 with a list of roles as defined in the docs when there are custom roles defined in the resource
Since the question is from Jul '17, and the custom roles started their beta on Sep '17, I'm assuming you were too quick to test the API, and that's the reason for the 404 you were receiving.