I get the following environment-dependent error in terraform.
What action should I take to resolve it?
Error: Post "https://composer.googleapis.com/v1beta1/projects/project/locations/asia-northeast1/environments?alt=json&prettyPrint=false": Post "https://oauth2.googleapis.com/token": dial tcp 172.217.25.202:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
The error that was output when opening the above url is as follows.
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
The terraform code used is as follows.
resource "google_storage_bucket" "auto-expire" {
name = "auto-expiring-bucket"
location = "US"
}
teraform apply without any arguments.
You would need to follow this Terraform doc adding-credentials to setup credentials.
Related access_token client_config.
This could also happen if your config is extremely large as those tokens timeout after an hour.
Related
I am getting the following when sending a marketplaceParticipations request to sellers/v1/marketplaceParticipations via Postman after following instructions and examples provided at https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api
{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}
We have registered a self-authorized app client in Draft status which has a user ARN IAM attached as described at https://developer-docs.amazon.com/sp-api/docs/registering-your-application.Ï
I've checked the inline and role policies for the ARN IAM. They are exactly as described at https://developer-docs.amazon.com/sp-api/docs/creating-and-configuring-iam-policies-and-entities#step-4-create-an-iam-role.
We are able to successfully request an LWA access token following the docs at https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api#step-1-request-a-login-with-amazon-access-token.
Please check that the roles of the user you are using allow to make request to that endpoint in your dev profile at https://sellercentral.amazon.com/
As far as I know, the getMarketplaceParticipations doesn't need a Restricted Data Token (RDT). So you must be able to solve it by giving the user the correct roles.
I was able to get them using Postman. It is a good way to check that the request is correctly built and not a programming issue.
I created the code which get the member's information by Google Workspace Directory API. This code is executed everyday, and sometime I fece the error which is "oauth2: cannot fetch token: 401 Unauthorized".
Bad thing is that this error is happend only 1-2 times per month, and I cannnot reproduce by myself. I mean, if I re-execute the code after facing this error, it works well.
I paste full error message below:
"failed to get the members by email, email ="***#***": Get "https://admin.googleapis.com/admin/directory/v1/groups/***": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}"
API is executed by using Service Account which has appropriate roles below:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
Is it only better solution to use exponential back off?
Thank you in advance.
I'm using the REST API template provided from https://cloud.google.com/dataflow/docs/guides/templates/provided-utilities#api_2 to delete from datastore but I'm getting the following error
"error": {
"code": 403,
"message": "(55ae8f210de971e7): Template file failed to load: gs://dataflow-templates/dataflow-templates/latest/Datastore_to_Datastore_Delete. Permissions denied. Provided scope(s) are not authorized",
"status": "PERMISSION_DENIED"
}
It says the scope isn't authorized but the docs say you only need one of the following: https://www.googleapis.com/auth/compute.readonly, https://www.googleapis.com/auth/compute, https://www.googleapis.com/auth/cloud-platform or https://www.googleapis.com/auth/userinfo.email.
For my oauth2 request I tried adding the devstorage scope as well: https://www.googleapis.com/auth/compute.readonly https://www.googleapis.com/auth/devstorage.read_only
I'm calling POST https://dataflow.googleapis.com/v1b3/projects/{projectid}/templates:launch?gcsPath=gs://dataflow-templates/latest/Datastore_to_Datastore_Delete
With
{
jobName: 'PrunePrintLogs',
environment: { zone: 'europe-west2' },
parameters: {
datastoreReadGqlQuery: 'select * from `00000000test`',
datastoreReadProjectId: '{projectid}',
datastoreDeleteProjectId: '{projectid}'
}
}
My project id is redacted.
I added the Owner role to the account getting the oauth2 token just temporarily for testing so wouldn't all scopes be authorized?
Got it working. Firstly I needed to remove the 'environment' parameter. Secondly I set scope to 'https://www.googleapis.com/auth/cloud-platform'. It also seems the role needs to be Editor, I wasn't able to find a more restrictive role to get it working.
Curiously when I sent the request from postman is shows up in Dataflow jobs as sdk 2.27.0 but I'm sure I'm sending exactly the same from my node app using axios and it shows up as sdk 2.20.0 and warns that it will eventually be no longer supported.
While testing automated user/group provisioning with the AzureAD Google Cloud EA, I am seeing a number of HTTP 403 errors at the Scoping phase of the user provisioning process that look like below:
Description: Failed to evaluate scoping of a source entry User 'user#foobar.com'
Error Code: GoogleAppsCannotAccessResourceOrApi
Error Message: An error has occurred when our provisioning service tried to evaluate scoping of a source entry.
{
"error": {
"code": 403,
"message": "Not Authorized to access this resource/api",
"errors": [
{
"message": "Not Authorized to access this resource/api",
"domain": "global",
"reason": "forbidden"
}
]
}
}
To note: This issue affects many users but not all of them. Many more are successfully provisioned.
Also, to note: There are no scoping filters in place (source scope is "All records").
This looks similar to azure ad user provisioning with g suite but that question hasn't been answered and I tried removing the user's manager from the attribute mapping (as implied in the last response) but no luck.
So I figured out the issue. First, it turns out that the problem has nothing to do with scoping, regardless of what the provisioning logs were saying.
My problem was that I perform a custom attribute re-mapping of the users UPN, as G Suite is configured for another domain and that I forgot that we have a mishmash of upper and lower case domain names in our users' UPNs.
My expression failed to normalize the UPNs to lowercase before performing a case-sensitive replacement for the old domain to the new domain. Once I added a ToLower expression, the scoping errors went away.
I can RingOut successfully requesting:
https://platform.ringcentral.com/restapi/v1.0/account/~/extension/~/ring-out
But when I want to add the extension id I get a CMN-102 error (Resource for parameter [extensionId] is not found) see request example below:
https://platform.ringcentral.com/restapi/v1.0/account/~/extension/279580017/ring-out
I'm pretty certain I have the correct id as I'm grabbing the extensionId from the request below successfully:
https://platform.ringcentral.com/restapi/v1.0/account/~/extension
If anyone has run into this or can point out any potential pitfalls I would very much appreciate some pointers.
From your post and the error you are receiving, I'm assuming you are attempting to perform a RingOut with an extensionId that did not authorize your app. Attempting to do this will result in the error you received. Here's more information on this.
RingOut ExtensionId Scope
The RingOut API only supports using extensionId path parameter for the authorizing user extension. Because of this, all you ever need to call is the following endpoint for RingOut:
POST /restapi/v1.0/account/~/extension/~/ring-out
If you want to use the explicit extensionId, it needs to be the extensionId returned in the following endpoint:
GET /restapi/v1.0/account/~/extension/~
If you call the endpoint with a path extensionId parameter that did not authorize the access token being used, then you will receive the:
Non-Matching ExtensionId Error
If you attempt to perform a RingOut with a path extensionId value that is not the authorizing user, you will receive a HTTP status 404 error with the following body:
HTTP/1.1 404 Not Found
{
"errorCode": "CMN-102",
"message": "Resource for parameter [extensionId] is not found",
"errors": [
{
"errorCode": "CMN-102",
"message": "Resource for parameter [extensionId] is not found",
"parameterName": "extensionId"
}
],
"parameterName": "extensionId"
}
How to Perform RingOut for Many Users
To perform RingOut for many users at this time, you will need to do either of the following:
each user will have to perform an authorization with your app, either through a login pop-up via OAuth 2.0 authorization code or implicit grant.
alternately, you can ask them for their passwords to perform OAuth 2.0 password grant authorization.
A number of OAuth 2.0 demo apps are available on our GitHub accounts:
https://ringcentral.github.io/tutorials/
https://github.com/ringcentral/ringcentral-demos-oauth
Enhancement Request
If you would like the ability to RingOut to any user without an active session, let us know and we can consider it as a feature enhancement. The best way is to login to our Community with your RingCentral account and post a request here:
https://devcommunity.ringcentral.com/ringcentraldev