I'm trying to enable google cloud API using Service usage API with below request code
request = service.services().enable(name='projects/projectnumber/services/apiname')
when I try to call API, the above request in a loop as I need multiple API needs to be enabled for a project. response from GCP is different. some APIs are being enabled but for others response is like below
"name": "operations/acf.p2-2910031xxxxx-9faxxxxx-xxxx-4381-xxxx-dede881xxxxx",
"metadata": {
"#type": "type.googleapis.com/google.protobuf.Any"
}
here, I'm not sure if the API is enabled or not. Or, what the above response exactly mean.
Can someone help me to understand the response from google.
Related
I have set up API Gateway using HTTP API which is configured to a private application load balancer using a VPC link.
I have a route using this integration and I can request my route and I get a successful response from my API.
The problem comes though when I now want to protect this route.
I chose a simple lambda authoriser and set up a basic example I have seen in many tuts being:
exports.handler = async(event, context) => {
let response = {
"isAuthorized": false,
"context": {
"AuthInfo": "defaultdeny"
}
};
if (event.headers.authorization === "Bearer secretToken") {
response = {
"isAuthorized": true,
"context": {
"AuthInfo": "Customer1"
}
};
}
return response;
};
When I attach my authoriser I just get:
{
"statusCode": 401,
"error": "Unauthorized",
"message": "Invalid token."
}
this response does not seem to be coming from the authoriser as in cloud watch I can see the authoriser is returning true.
I am not sure if because I am accessing a private resource using an integration with a VPC link if there is something else I need to do, or what I am missing.
I am struggling to find any documentation on authorisers in such a scenario.
Any help most appreciated.
Authoriser settings
My Api was Strapi CMS, with Strapi if you pass an authorization header to the endpoint even a public one (as I was) then its own authentication kicks in.
So as the header was passed from the lambda authoriser to Strapi, Strapis auth kicked in. Many thanks to #stijndepestel
Per this documentation Addendum: Service account authorization without OAuth, it says
If the API you want to call has a service definition published in the Google APIs GitHub repository, you can make authorized API calls using a JWT instead of an access token
I see Google Cloud Storage published on that Github repository but I can not seem to be able to get a file on Google Cloud Storage with the approach in the documentation. According to JWT header and payload example show in step 3 of the documentation, I did the following adjustments
Change kid from abcdef1234567890 to my service account private_key_id
Change iss and sub to my service account client_email
Change aud to https://storage.googleapis.com/
Change iat and exp to now and now + 1 hour
I use signed JWT as bearer token trying to get file from http://storage.googleapis.com/<bucket>/path/file but I keep getting this response
<?xml version='1.0' encoding='UTF-8'?><Error><Code>AuthenticationRequired</Code><Message>Authentication required.</Message></Error>
Can we really use this approach with Google Cloud Storage? Am I doing anything wrong?
Note that I can access the file with oauth access_token when following another approach described on the same page documentation page but I prefer not to make a request to get access_token first before making a request to get the file.
I drew the same conclusion as you from reading this documentation, but it doesn't work for me either on Google Cloud Storage.
It does work on some services like Google Cloud Pub/Sub.
I also confirmed that the Google Cloud SDK doesn't use the "Service account authorization without OAuth" method for GCS, but it does for Pub/Sub.
For example in the Node.js SDK, the variable determining whether or not to use this method is useSelfSignedJWT in google-auth-library:
const useSelfSignedJWT =
(!this.hasUserScopes() && url) ||
(this.useJWTAccessWithScope && this.hasAnyScopes());
A service like Pub/Sub that supports self-signed JWT sets useJWTAccessWithScope = true, but GCS doesn't
set this variable.
That being said I forced the GCS SDK to use self-signed JWT and got it to work that way!
const { Storage } = require('#google-cloud/storage')
const storage = new Storage({
keyFilename: 'service-account-key.json'
})
storage.authClient.useJWTAccessWithScope = true
// Use client and watch how it doesn't call the OAuth2 endpoint,
// and requests are still successful.
The interesting thing to note is that the self-signed JWT that Google SDK generated is a bit different from what they document for Service account authorization without OAuth:
{
"iss": "service-account#project.iam.gserviceaccount.com",
"sub": "service-account#project.iam.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/iam https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/devstorage.full_control",
"exp": 1234567890,
"iat": 1234567890
}
Whereas their documentation says to use a aud field and doesn't mention scopes:
{
"iss": "123456-compute#developer.gserviceaccount.com",
"sub": "123456-compute#developer.gserviceaccount.com",
"aud": "https://firestore.googleapis.com/",
"iat": 1511900000,
"exp": 1511903600
}
So you can set a scope field with a valid OAuth scope, e.g. for GCS. This did work for me on GCS, and it might work for other APIs that don't accept self-signed tokens with aud.
I tried the demo at https://cloud.google.com/video-intelligence/
If I switch to the API tab I can see the request is
https://videointelligence.googleapis.com/v1/operations/projects/4808913407/locations/us-east1/operations/12700896084805575820?key=YOUR_API_KEY_HERE
However, when I try doing the same operation using my API key I get
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
Do I need to configure the API key in any specific way to get this working?
Video Intelligence does not support API Keys, you need to authenticate using a service account. Here you can find the list of GCP services that support API Keys.
Here you can find a description step-by-step on how to use video intelligence using the command line.
As you can see you need to generate a print access token after configuring your service account credentials. Then you include it in the API call as "Authorization: Bearer". You cannot use an API key.
I have given an amazon api to integrate. But I have no idea how to use this api
mutation createTrail {
createTruckTrailer(input:{truckId: "077",trailer:["AB22D"]}){
result
}
}
The snippet you've been given is an example of a GraphQL query, which can be sent to a GraphQL-enabled endpoint, such as the one you've been given which is hosted using AWS AppSync. A GraphQL query is structured differently than a REST api call; think of it as a structured way of making REST calls. Requests are sent to the ApiUrl you pasted above in a POST HTTP request, with a request body that looks like:
{
"query": "mutation createTrail {\n createTruckTrailer(input:{truckId: \"077\",trailer:[\"AB22D\"]}){\n result }\n }",
"operationName": "createTrail",
"variables": {}
}
However additional headers are necessary to authenticate with IAM. The response from the server will include the result as JSON. I highly recommend spending just a few minutes to become a little more familiar with GraphQL here: https://graphql.org/learn/
To make calls to this AppSync endpont from Android, take a look at the Amplify android client, which explains how to get started here (Skip step 4): https://aws-amplify.github.io/docs/android/start, and then setup your client to authenticate with IAM to your backend here: https://aws-amplify.github.io/docs/android/api#iam
Once your amplify client is fully set up, you can make the GraphQL Mutation shown above by following the steps here: https://aws-amplify.github.io/docs/android/api#import-sdk-and-config
Use retrofit with rxJava or coroutines.
I'm new with customization of WSO2 AM.
There is a simple way to get the tags associated to a specific published API?
I would like to customize the logic of workflow subscription step checking some specific tags defined into the Publisher.
WSO2 API Manager Publisher REST API will help you to access API Manager publisher APIs programatically via REST API. There you can get API details by calling following API
https://docs.wso2.com/display/AM1100/apidocs/publisher/#!/operations#APICollectionApi#apisApiIdGet
See sample request details
URL
https://apis.wso2.com/api/am/publisher/v0.9/apis/{apiId}
HTTP Method
GET
Scope
apim:api_view
CURL Example
curl -H "Authorization: Bearer b0982cd2aacd463ff5f63cd5ebe58f4a" http://127.0.0.1:9763/api/am/publisher/v0.9/apis/890a4f4d-09eb-4877-a323-57f6ce2ed79b
In response you will get tags associated with API as follows.
"tags": [
"phone",
"multimedia",
"mobile"
],
Thnaks,
sanjeewa