We are using admin SDK API for creating a group in domain by GDriveFlow app. After existing group in Google workspace admin console, We deleted this group and again creating the same group with API then we are getting the below error message:
409 Conflict
{
"code": 409,
"errors": \[
{
"domain": "global",
"message": "Entity already exists.",
"reason": "duplicate"
}
\],
"message": "Entity already exists."
}
When we checked the same group there is no existing same group in Google workspace admin console.
When we are creating the same group from Google workspace admin console and it is saying :
"A group or alias already exists with this email" .
But when I am searching the group in Google workspace admin console, I am not getting this group in console.
When I am searching same group with Method: groups.aliases.list in API explorer and getting: 404 not found msg in attached screen shot .
Can you please let me know why is this happening and not creating the group even it is not in domain ?
I have also reported this issue in Google Issue tracker at : https://issuetracker.google.com/issues/184303064
I am attaching the screenshots for creation of Group with these methods:
1- Manual by admin console, 2- SDK API by application, 3- By API explorer in Google workspace as below:
Google Support Team replied me as :
"It looks like we might be affected by an known issue in Google Workspace Groups and there is a workaround available."
So they told me if this type of issue comes then do these steps as below:
These steps are using the UI but this may be achieved by using the APIs as well.
A. Create a new user with this group mail Id(Old mail Id)
Browse to: https://admin.google.com/ac/users
Click Add new user
Enter “primary email address” with with same email Id(old) and other required fields
Click ADD NEW USER
B. Delete user created in the previous step:
Browse to: https://admin.google.com/ac/users
Add filter Email
Enter email address used for previous user creation
Click APPLY
Click on the user to navigate to their profile of that group mail id as user into domain
In left pane, click DELETE USER
Select Don’t transfer data
Click DELETE USER
C. Proceed to perform the action that was previously blocked and again create the group with same email Id.
This will resolve the issue.
I had the same issue and I got another workaround from Google Support:
Add the email address to an existing user account as an alias and save it.
Delete the alias and save it.
After that I was able to create the group.
Related
I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing 403. Error: app_not_configured_for_user. In their documentation I can find:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
but how do I debug it? I do not see a logs from neither AWS and Google sides :/
I think I followed all possible guides and I cannot find what I'm doing wrong. I found that Google has this page but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have.
What I did:
In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type
I downloaded metadata file
In AWS Cognito console I created User Pool
I created IdP provider and uploaded metadata file there
I created application client
Using those values I filled fields ACS URL and Entity ID in Google Admin using values:
ACS URL: https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Entity ID: urn:amazon:cognito:sp:us-east-1_myPoolId
I also selected Name ID format to be Persisted
In attribute mapping I mapped email value to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
In AWS Cognito I enabled HostedUI and also created mapping of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to email field.
And now when I click View Hosted UI in AWS console it will redirect me to Google authentication and after it directly to before mentioned 403 app_not_configured_for_user page.
I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error.
Anyone tried to integrate it?
How to troubleshoot the 403 app_not_configured_for_user error related to SAML apps from the Google Workspace Admin console
The first thing you need to do is to grab a HAR file recording the whole login process and find the SAML request. Steps can be found here.
Once you get the file you can open it using that tool and search for SAMLreq at the top right (see image).
After that you will get a list of values containing information. You will have to check one by one until you find the one that has the SAML request in the request tab (see example below).
Once you get the value from the SAML request, copy it and you can use this tool to do a SAML decode and find the entity ID. You can use Ctrl + F and search for saml:Issuer to find the value faster. If the value does not match, then you know you have an error and you will need to contact the support team from the app to see which value is the correct one.
In case the value matches I would recommend opening a ticket to check with Google.
I've generated a server key in the API Manager and attempted to execute the following on my Mac:
curl 'https://sheets.googleapis.com/v4/spreadsheets/MySheetID?ranges=A1:B5&key=TheServerKeyIGeneratedInAPIManager'
But this is what it returns:
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
What am I doing wrong here?
To solve this issue, try to:
Create a service account: https://console.developers.google.com/iam-admin/serviceaccounts/
In options, create a key: this key is your usual client_secret.json - use it the same way
Make the role owner for the service account (Member name = service account ID = service account email ex: thomasapp#appname-201813.iam.gserviceaccount.com
Copy the email address of your service account = service account ID
Simply go in your browser to the Google sheet you want to interact with
Go to SHARE on the top right of your screen
Go to advanced settings and share it with an email address of your service account ex: thomasapp#appname-201813.iam.gserviceaccount.com
I know it is a little late to answer but for other people struggling with the same issue.
Just change the permission of the sheet to public on your drive so it can be accessed without authentication via API calls.
To change access:
Open sheet in google drive
On top right corner, click share
On bottom of prompt window, click advanced
Change permission to public or people with link (no signin required)
Send API request to fetch data from sheets without authentication.
Note: if the sheet contains sensitive data then it is not safe to make it public and rather do it with Authenticated access.
Make sure to pay attention to #KishanPatel's comment:
Also, you can share this sheet with specific email Ex. your service
account (project) email. "client_email":
"XXXXX#northern-gasket-XXXX.iam.gserviceaccount.com", This will allow
to access sheet by your script.
Visual Simplification of the Answers:
Option 1 - Turn the file into public (if sheets the sheet contains sensitive data)
Option 2 - Share file with Service Account Email (IAM & Admin -> Service Accounts -> Details -> Email)
The easiest way is to fix using gcloud cli. More docs here https://cloud.google.com/pubsub/docs/quickstart-cli#before-you-begin
install gcloud
sudo apt-get install google-cloud-sdk
then call
gcloud init
then check your active project and credentials
gcloud config configurations list
If it is not ok, make sure you are authenticated with the correct account:
gcloud auth list
* account 1
account 2
Change to the project's account if not:
gcloud config set account `ACCOUNT`
Depending on the account, the project list will be different:
gcloud projects list
- project 1
- project 2...
Switch to intended project:
gcloud config set project `PROJECT NAME`
Then Create Application Default Credentials with gcloud auth application-default login, and then google-cloud will automatically detect such credentials.
My 10 cents... A simple example to read the sheet using Java.
private Credential getCredentials() throws IOException {
final InputStream accessKey = new ByteArrayInputStream("<credential json>");
final GoogleCredential credential = GoogleCredential.fromStream(accessKey)
.createScoped(Collections.singleton(SheetsScopes.SPREADSHEETS_READONLY));
return credential;
}
private HttpTransport httpTransport() {
try {
return GoogleNetHttpTransport.newTrustedTransport();
} catch (GeneralSecurityException | IOException e) {
throw new SpreadSheetServiceException(e);
}
}
Sheets service = new Sheets.Builder(httpTransport(), JSON_FACTORY, getCredentials())
.setApplicationName("app-name")
.build();
ValueRange response = service.spreadsheets().values()
.get("<spread_sheet_id>", "A1:A")
.execute();
In my case, solving this problem turned out to be trivial. You just have to:
Enter the google sheet that we want to remotely edit.
In the upper right corner, set - anyone who has the link can enter
Most importantly - on the right side you need to set permissions for people who have the link as 'editor'
if you still do not have permission, it means that you have to go to the website:
https://console.developers.google.com/iam-admin/iam/ then select your project, then select "Service accounts" and create a new one as role "owner" or" editor" for the project for example (or use one that already exists and click "create new key")
The "key" is a json file that will be downloaded when you create the account (or use "create new key" there).
i've a problem to run a job in google dataprep.
I set up a connection through an external database on google sql. In big query I imported the database connection. In google data prep I selected the table to do some operations. I tried to create a very simple flow by joining two tables. After that, run job. By doing the first "tour" I ran a test job and it worked properly. I can't get it working, although the account is owner . I've tried with another account to which I gave owner permissions.
The error code I see in the job run logs is:
Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Access Denied: Project nameproject: User does not have bigquery.jobs.create permission in project nameprogect.",
"reason" : "accessDenied"
} ],
"message" : "Access Denied: Project nameproject: User does not have bigquery.jobs.create permission in project nameproject.",
"status" : "PERMISSION_DENIED"
}
ps: I'm not working with the API but directly in the google data prep panel.
I checked the google documentation but I didn't find much, besides the fact that to run the jobs you have to be the owner of the project.
My user has User permission of big query "Access to run jobs"
Thank you for the help.
Matteo
bigquery.jobs.create is a role assigned to:
BigQuery Admin
BigQuery Job User
BigQuery User
You'll need to assign one of these roles to the account running the tasks to proceed past this error. You can go to IAM & Admin > Roles in the GCP panel to look at which roles are assigned to particular titles, a handy way to see which levels you may need to grant.
The bigquery.jobs.create permission has to be assigned to the compute service account PROJECT_NUMBER-compute#developer.gserviceaccount.com.
Try to add to that service account the permissions:
Storage/Storage Object Viewer
BigQuery/BigQuery User
You can do it by going to the Hamburger Menu in the Console->IAM & Admin->IAM and clicking on the pencil icon at the right side of the service account.
I have setup Google calendar API project. I am using OAuth 2.0 to Access Google Calendar APIs data with consent screen.
I have followed the process mentioned here: https://developers.google.com/google-apps/calendar/quickstart/php
while I am trying to fetch all calendars for the authorized Google account. I am getting following error:
<h1>Google_Service_Exception</h1>
{
"error": "unauthorized_client",
"error_description": "Unauthorized"
}
Here is the code to fetch all calendars list:
$client = $this->getGoogleCalenderClient($clientSecretPath);
$accessToken = json_decode(file_get_contents($clientSecretPath), true);
$client->setAccessToken($accessToken);
if ($client->isAccessTokenExpired()) {
$client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());
$result = $s3Client->putObject([
'Bucket' => $bucketName,
'Key' => $credentialsPath,
'Body' => json_encode($client->getAccessToken())
]);
}
$service = new Google_Service_Calendar($client);
$calendarList = $service->calendarList->listCalendarList();
Does anyone know what this is happening here? And how can I fix this error?
Grateful for any help.
Does anyone know what this is happening here? And how can I fix this error?
If you are accessing the application using service account,
check this Github and the official document of Google for domain-wide delegation.
The following steps must be performed by an administrator of the Google Apps domain:
Go to your Google Apps domain’s Admin console.
Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
Select Advanced settings from the list of options.
Select Manage third party OAuth Client access in the Authentication section.
In the Client name field enter the service account's Client ID.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
Click Authorize.
Iam using cybersource for credit card payment.
Created username token for security data with the test account created
When Executing
self.response = self.client.service.runTransaction(**options)
Gets error
Server raised fault: '
Security Data : UsernameToken authentication failed.
'
Thanks in Advance
I got it.......
Just Generate transaction security key and give the generated key as password.
Able to connect successfully.
Steps to create key
Using a web browser, navigate to the CyberSource Enterprise Business Center (EBC) Test Environment login page
Log in using a username with Administrator credentials
Click Account Management from the menu bar on the left side of the screen
Click Transaction Security Keys In the expanded sub-menu,
Click the link, Security Keys for the Simple Order API on the Transaction Security Keys page
Click Generate Key
At this point you may see a pop-up dialog box asking if you want to block dynamic content on the page. Select No if this dialog box appears.
Click Generate Certificate Request when it appears (it may take a few seconds to load)
When the key generation script is done, a dialog box will appear which asks you to select a location on your computer where the new security key will be saved.
Save the key (the naming convention is <your merchant id>.p12)
Deploy the key to your system