While testing automated user/group provisioning with the AzureAD Google Cloud EA, I am seeing a number of HTTP 403 errors at the Scoping phase of the user provisioning process that look like below:
Description: Failed to evaluate scoping of a source entry User 'user#foobar.com'
Error Code: GoogleAppsCannotAccessResourceOrApi
Error Message: An error has occurred when our provisioning service tried to evaluate scoping of a source entry.
{
"error": {
"code": 403,
"message": "Not Authorized to access this resource/api",
"errors": [
{
"message": "Not Authorized to access this resource/api",
"domain": "global",
"reason": "forbidden"
}
]
}
}
To note: This issue affects many users but not all of them. Many more are successfully provisioned.
Also, to note: There are no scoping filters in place (source scope is "All records").
This looks similar to azure ad user provisioning with g suite but that question hasn't been answered and I tried removing the user's manager from the attribute mapping (as implied in the last response) but no luck.
So I figured out the issue. First, it turns out that the problem has nothing to do with scoping, regardless of what the provisioning logs were saying.
My problem was that I perform a custom attribute re-mapping of the users UPN, as G Suite is configured for another domain and that I forgot that we have a mishmash of upper and lower case domain names in our users' UPNs.
My expression failed to normalize the UPNs to lowercase before performing a case-sensitive replacement for the old domain to the new domain. Once I added a ToLower expression, the scoping errors went away.
Related
I am getting the following when sending a marketplaceParticipations request to sellers/v1/marketplaceParticipations via Postman after following instructions and examples provided at https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api
{
"errors": [
{
"message": "Access to requested resource is denied.",
"code": "Unauthorized",
"details": ""
}
]
}
We have registered a self-authorized app client in Draft status which has a user ARN IAM attached as described at https://developer-docs.amazon.com/sp-api/docs/registering-your-application.Ï
I've checked the inline and role policies for the ARN IAM. They are exactly as described at https://developer-docs.amazon.com/sp-api/docs/creating-and-configuring-iam-policies-and-entities#step-4-create-an-iam-role.
We are able to successfully request an LWA access token following the docs at https://developer-docs.amazon.com/sp-api/docs/connecting-to-the-selling-partner-api#step-1-request-a-login-with-amazon-access-token.
Please check that the roles of the user you are using allow to make request to that endpoint in your dev profile at https://sellercentral.amazon.com/
As far as I know, the getMarketplaceParticipations doesn't need a Restricted Data Token (RDT). So you must be able to solve it by giving the user the correct roles.
I was able to get them using Postman. It is a good way to check that the request is correctly built and not a programming issue.
I'm using the REST API template provided from https://cloud.google.com/dataflow/docs/guides/templates/provided-utilities#api_2 to delete from datastore but I'm getting the following error
"error": {
"code": 403,
"message": "(55ae8f210de971e7): Template file failed to load: gs://dataflow-templates/dataflow-templates/latest/Datastore_to_Datastore_Delete. Permissions denied. Provided scope(s) are not authorized",
"status": "PERMISSION_DENIED"
}
It says the scope isn't authorized but the docs say you only need one of the following: https://www.googleapis.com/auth/compute.readonly, https://www.googleapis.com/auth/compute, https://www.googleapis.com/auth/cloud-platform or https://www.googleapis.com/auth/userinfo.email.
For my oauth2 request I tried adding the devstorage scope as well: https://www.googleapis.com/auth/compute.readonly https://www.googleapis.com/auth/devstorage.read_only
I'm calling POST https://dataflow.googleapis.com/v1b3/projects/{projectid}/templates:launch?gcsPath=gs://dataflow-templates/latest/Datastore_to_Datastore_Delete
With
{
jobName: 'PrunePrintLogs',
environment: { zone: 'europe-west2' },
parameters: {
datastoreReadGqlQuery: 'select * from `00000000test`',
datastoreReadProjectId: '{projectid}',
datastoreDeleteProjectId: '{projectid}'
}
}
My project id is redacted.
I added the Owner role to the account getting the oauth2 token just temporarily for testing so wouldn't all scopes be authorized?
Got it working. Firstly I needed to remove the 'environment' parameter. Secondly I set scope to 'https://www.googleapis.com/auth/cloud-platform'. It also seems the role needs to be Editor, I wasn't able to find a more restrictive role to get it working.
Curiously when I sent the request from postman is shows up in Dataflow jobs as sdk 2.27.0 but I'm sure I'm sending exactly the same from my node app using axios and it shows up as sdk 2.20.0 and warns that it will eventually be no longer supported.
I tried to get list of my google group from this page: reference/members/list
And used the group ID/Name/Email as groupKey value, but get only this response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Resource Not Found: groupKey"
}
],
"code": 404,
"message": "Resource Not Found: groupKey"
}
}
I wonder am I specified wrong key or what is wrong? I haven't used google apis before, just want to try.
I haven't tried that api in my code, just wanted to try in "sandbox" before.
You are getting error 404 which means no resources available or cannot find the resources for the given groupKey.
Create a group in G suite
Add at least one user. No need to do that if you already created. But make sure that you have created the group.
Come back to Google APIs Explorer
Provide group's email ID as value.
Complete your authentication & authorization using G suite credentials. You may be logged in using your personal email ID. Make sure you have completed authorization using G suite account.
you will get the list of members from the group
Before tried to list all the members from the group (list members), just try to get one member (get members). It will help you in some cases.
I'm part of an organization that created and still actively uses a Google Group. When Google started it's G-Suite service for organizations, got on board with having a proper Google organization. The problem is, now when members join and leave the organization, there's this nuisance task that requires someone to add them or remove them from the legacy Google Group.
That group, as far as I can tell, is dissociated with the G-suite organization. We do have an Administrator account (from the G-suite organization) among the Managers of the Google Group, FWIW. The Google Group has an email address that ends "#googlegroups.com".
So I tried using this Google tool to just examine the Google Group using the aforementioned Administrator account from G-Suite, and it just gives back a 404 with this response body:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "notFound",
"message": "Domain not found."
}
],
"code": 404,
"message": "Domain not found."
}
}
Is there any way to accomplish what I'm trying to do (automate the aforementioned nuisance task).
Ultimately, I think this is the set of APIs that I will need to use, and I've tested very basically that they work for a Google Group that is actually part of the G-Suite organization (i.e. has the same email domain).
I chatted to Google support and the word I got was basically, no dice. Legacy / free Google Groups are, from what I understand, not supported for API access.
I am working on the GmailwebhookTrigger in which I am getting the notification for the new emails. I want to add multiple members into my topic means want to get notifications for multiple people on my topic. To do that I have to add that member as pub/sub subscriber into my iampolicy console. I am not able to do that it is giving me following error
{
"error": {
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
by hitting the following api
https://cloudresourcemanager.googleapis.com/v1/projects/gmailwebhookserver:getIamPolicy
also if I tried to hit the following other api I get the same error
https://cloudresourcemanager.googleapis.com/v1/projects/gmailwebhookserver:setIamPolicy
I have done everything provided in the documentation to fix that, but I am not able to do so. But when I am adding external user as owner to project in my IamConsole at following url https://console.cloud.google.com/iam-admin/ia?project=testProject, I am able to achieve what I am willing to achieve. But that thing I have to do manually by doing so I am giving full rights of my project to other users. I think to allow external users to make changes in my cloud iampolicies I need to authenticate external users using my service account. But I don't know how to do that. Suggest me way either to authenticate user with my service account or by any other means, so that I may have to do nothing manually.