I have some difficulty to make work impersonate user with service account on Google Calendar API.
For give service account right on calendar, i created calendar with SA account for give it the full access rights.
I'm trying to add an event with any user of domain.
I'm setting to $client with impersonate user :
putenv("GOOGLE_APPLICATION_CREDENTIALS=JSON_CREDENTIAL_SA_FILE);
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->authorize();
$client->addScope([Google_Service_Calendar::CALENDAR]);
$client->setSubject(EMAIL USER TO IMPERSONATE);
But when i'm trying to add an events
$event = new \Google_Service_Calendar_Event($EventObj);
$event = $service->events->insert($AgendaID, $event);
GG Api return is "A service error occurred | reason:NotFound", it seems that user used can't found SA calendar ID.
Calendar ID ids not share with user used.
In Google Cloud Plateform, i created the service account and add delegation domain checkbox.
On IAM panel, email of service account is Owner. I gave to user used in my project role Service Account Token Creator or owner to try but same issue like describe here
On Google Admin, I gave to ID Service Account Scope needed in Security => API Command => https://www.googleapis.com/auth/calendar
I was thinking that when using setSubject, it's like using SA but like a user.
Insert work if i comment $client->setSubject(EMAIL USER TO IMPERSONATE);
I really don't understand why can't used any user of domain to write on SA Calendar.
Did i miss a configuration on google cloud plateform or google admin ?
Thanks for your help.
Related
I have a DataStudio dashboard which contains a dataset resource connection to a BigQuery table which is currently authenticated using an individual user's account.
I want to change that to use a service account.
In order to do that, I followed this guide, which means I have:
Created a service account
Added the BigQuery Job User role to the service account
Added the Service Account Token Creator role to the service account
Added the BigQuery Data Viewer role to the service account (associated to the correct BigQuery table)
Ensured that my account is added as a Service Account User on the service account
On the DataStudio dashboard, I then navigate to:
Resource > Manage Added Data Sources > Select the specific data source > Click on the blade with the current user account being used to authenticate.
When I try to insert the service account details in the window, I see the error message below.
I've followed the link (which leads back to the original guide). The link says I need to add the Service Account Token Creator to the service account, which I've confirm through the following:
Now I'm stumped! What could be the reason why I cannot authenticate the connection using the service account?
I figured it out.
The problem was that the Service Account Token Creator role was assigned to the service account and not the service agent.
This link describes the process of setting up a service account for authenticating Data Studio data sources. Although it's got all the info there, the devil is in the detail in Step 2: Allow the Looker Studio service agent to access your service account.
I am very new to GCP and need some help on how to access GCP project.
I have an assessment given by an employer to install an application in GCP. I am provided with a company "non Gmail" emailID/password, and a link to the project. I have looked for resources online but do not know how to access this project. when I try to access via browser using this email, I get an error saying this is not Gmail id. Can someone guide me how I can access a gcp project with non Gmail id? I appreciate your help.
Access your google project:
[ INSERT project link: https://console.cloud.google.com/home/dashboard?project=single-project ]
Username: user#companyname
Password: *******
Update:
The user name had a typo and I was provided with correct user details later.
You cannot access the GCP Projects with non-gmail Id unless it is associated with Google Workspace or Cloud Identity account.
If the email doesn't work, the company probably didn't add the email account to the Google Project (IAM Roles), or the email is not registered with a Cloud Identity. You can only log into the GCP console using Google's credentials , and for that you need a google user account. If your account is a company email account, the admin has to create the user on their identity.
Refer to the link for accessing a gcp account .
EDIT:
As #syed fayaz said, also we need to check whether we have any typing error in credentials.
Consider this scenario:
I have two domains: domain1.net and domain2.net.
I have GCP enabled on domain1.net and created a Service Account here that has Domain-Wide Delegation Enabled.
The CLIENT ID from this Service Account is configured on domain1.net GSuite Admin Console as domain wide delegation and has the following OAuth2 scopes enabled:
SCOPES = [
'https://www.googleapis.com/auth/admin.directory.group',
'https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.group.member',
'https://www.googleapis.com/auth/admin.directory.group.member.readonly',
]
I have a Cloud Function that uses the Service Account's rights to create a OAuth2 JWT, to be able to access GSuite domain1.net APIs. Code Sample Here.
The user to impersonate in GSuite has Group Admin Roles to be able to create GSuite Groups.
All this configuration works perfectly, I am able to create Groups in domain1.net using a Cloud Funtion in domain1.net GCP env.
But if I use the same Service Account CLIENT ID in domain2.net give the same OAuth2 Scopes, create an user with Group Admin Roles and use this user to create new groups, it doesn't work.
Error:
error got with oauth2client==4.1.3
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
error got with google.oauth2:
googleapiclient.errors.HttpError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
Now the above error code: unauthorized_client found in this documentation specifies that the CLIENT ID is incorrect and I've might have used the Service Account's email, which I did not.
Is Domain-Wide Delegation cross GSuite organization(different domain) capable?
I know that it works in any sub-domain of domain1.net but not in any other GSuite organization(different domain like domain2.net).
I have good news for you (This won't answer your question but will solve your problem)!
You won't need to impersonate an admin anymore to create groups. Google just last week announced that the Cloud Identity Groups API will now allow for Group Management via API w/o impersonating an admin.
Take a look at these update blogs:
https://gsuiteupdates.googleblog.com/2020/08/use-service-accounts-google-groups-without-domain-wide-delegation.html
https://gsuiteupdates.googleblog.com/2020/08/service-accounts-in-google-groups-beta.html
https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
I can't help you with the actual question, tho; that's just not my territory.
A service account belongs to the application for which you created it. If this application belongs to domain1.net, the service account will be able to impersonate accounts from domain1.net, not from any other domain.
If you want a service account to impersonate users from domain2.net, create another service account on a GCP project that belongs to domain2.net.
Reference:
Using OAuth 2.0 for Server to Server Applications
Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
A Google group of which I'm Manager have been granted certain permissions to access certain BigQuery tables. Effectively all user in the group can access to those tables using their personal credentials.
I would like to share those permissions with a service account and access the tables using service account credentials.
Is this possible? How to configure it?
A service account is generally used for Server to Server communication (between applications). With that in mind, a service account has associated an email address just like the ones associated to your personnel. So, you can assign roles/permissions to the service accounts using its email just like you assigned to your group.
I hope that the following steps help you in some manner:
Create a service account.
Assign predefined BigQuery roles (Admin, DataEditor, User, etc).
Download its json file which contains the credentials.
Use those credentials to authenticate and authorize your application.
To add a specific permission (owner, edit or view) on a specific dataset you can use its service account email.