I'm using the Google Analytics API for a project and I would like to know if it's possible to request access to just one project from the user account instead of all of his projects.
So right now I'm asking for access to the following scope https://www.googleapis.com/auth/analytics.readonly and this grants me access to all the projects from the user account. Is there a way to narrow this permission to just one project and the user would select which project he would give me permission to read the data?
The way Oauth works with the Google Analytics api is when a user grants you access to their google analytics account. They are granting you access to everything in their google analytics account.
For me this is a problem because i have access to customer google analytics accounts and i dont want to grant third party applications access to them. Due to this limitation i have never been able to use third party applications.
There is no way to limit it. Its an all or nothing type of thing. I have brought it up with the team in the past currently there is nothing we can do about it.
Related
I have recently made a program that listens to a PUB/SUB topic that is connected to a Gmail account. I have it all working fine. When a push notification arrives it will do different tasks based on the message content.
The problem is that I use a Service Account to connect to all the API's on Google Cloud Platform that I need. The Service Account allows access to ALL of our Gmail accounts in our organization. I need to somehow limit the access to a specific Gmail account.
The closest I could find to this issue was this question Impersonating list of users with Google Service Account. However, the only solution presented there was to turn my project into a marketplace app which I do not want to do.
I have tried setting up an Organizational Unit and trying to limit the scope to that somehow, but there seems to be know way (that I can find) to do it. I did try speak with Google Cloud Platform help but they didn't know the answer as it didn't quite fall under their area of expertise and referred me on to another help group, but I'm not eligible for them because I don't pay for support.
Edit: It doesn't actually appear that what I want to do is possible. I'll be going back to an OAuth2 method of authentication.
Understanding service accounts explains the possibilities:
Service accounts can be thought of as both a resource and as an identity.
When thinking of the service account as an identity, you can grant a role to a service account, allowing it to access a resource (such as a project).
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
Now try to fit that impracticable intent into there ...
If you need to limit the access of the service account to user-specific resources, this can only be done on the application level, not the system level - since a service account can impersonate just any user identity; eg. in order not to mess up the ownership, when uploading files on behalf of a user. If you want 1 user identity to access 1 user-specific resource, why even use a service account? And when using a service account, why not just impersonate as the correct identity? This could even be hard-coded, if it's only 1 user identity. But nevertheless, it can only be done on the application level - but cannot be configured for the service account itself.
Disclaimer: https://console.cloud.google.com/support/community leads here. Google's documentation is horrific so giving this a whirl on the off chance that I don't get downvoted to the depths of dev/null
Out of impending necessity I am migrating a private application that monitors our Gmail accts to OAuth 2, and as part of this process it was necessary to create an OAuth consent screen. Since this application will only be used internally it makes the most sense to choose "Internal" for Application Type - which is described as follows:
Only users with a Google Account in your organization can grant access to the scopes requested by this app.
The users on this Project consist of two "owners" — myself using my personal Gmail acct, and
another employee who is part of the company G Suite account.
My question is who qualifies as a "user in my organization"? Is this based on the project owners? Does my non-G-Suite account (which is an owner of the project) qualify? Does the inclusion of one member in a G Suite account automatically associated the other employee accounts? Is the anywhere to actually see these users or manage them directly?
I'd actually like to add another couple accounts to the mix but still keep the application private, but I'm confused about how Google determines which gmail accounts will be able to authorize the app.
UPDATE: To clarify, when I visit the consent page while logged in as a member of our G Suite on the same domain as the project owner, everything is fine. However, we have other members managed in the same G Suite account who are under a different domain and for these I get the message:
Error 403: org_internal
This client is restricted to users within its organization.
Furthermore, I am not even able to grant access using my own email which is the creator and owner of the application. I'd like to know how I can add myself and the other G Suite members to be able to grant access to the application without making it public. It was suggested below that I add them (or their domain) to Google Cloud IAM but I'm unclear about how to get this working. My own email does already exist in IAM with role of "owner" and apparently that doesn't satisfy the requirement.
In order for internal apps to be used for OAuth, the project must belong to the organization associated with the same GSuite customer as all the users.
non-GSuite accounts cannot be used by internal apps. There's more information about this here: https://support.google.com/cloud/answer/6158849#public-and-internal.
Who is a member of my organization?
Anyone that you have added to Google Cloud IAM for a project, folder or at the organization level. This can include Google Accounts (Gmail email addresses), G Suite and Google Identity. The last two use a domain name (example.com) and anyone with an identity in that domain (someone#example.com).
Google's goal is to tighten up security for Google Cloud Platform. In the past anyone with a Google Accounts email address could use your projects OAuth to request access. The level of access is controlled by OAuth Scopes. Today, granting that access results in a Consent Screen with an unverified application warning. To get beyond (remove) that warning often requires a security audit of your application with a cost estimated at $75,000 USD.
How do I manage members?
Through Google Cloud IAM. You can add and remove members; assign and remove IAM roles attached to member IDs. Through G Suite or Google Identity by adding or removing member accounts. Don't forget that members can be part of a Google Group and part of a Domain each of which are also an identity in Google Cloud Platform.
For GSuite Users:
Cloud IAM only deals with authorisation you would need to handle authentication elsewhere. By default GSuite integrates with CloudIAM as a default authentication provider.
For Non-GSuite Users:
You can use cloud identity free edition but users will have to manage separate set of credentials.
Single Sign On without GSuite
If you want Single Sign On Option you can also use Google Cloud Directory Sync to sync with your on-premise Active Directory or LDAP server for authentication. So users can keep their login details.
That's how authentication works on GCP. As for authorisation you have CloudIAM where you can manage access through Predefined Roles, Primitive Roles and Custom Roles.
Cloud IAM and Authorisation
Typically you assign access using google groups and resource hierarchy to make it easier for you to manage user access. But bear in mind that if you grant an access to something through a ascenstor folder in resource hierarchy then you can't deny access downstream. So you need to plan access hierarchy accordingly.
To answer your question who qualifies as a "user in my organization"?, everyone can login but by default they cannot access any projects, it's resources or apis unless they are given access to either individually or through a group.
Hope this clarifies things for you a little.
I've been trying to get data from GA using a service account, however, my issue is that it keeps saying;
Error: User does not have sufficient permissions for this profile.
I have enabled GA reporting API and given access to GA account using the email of the service account. In addition, it was granted "read and analyze" permissions on the account.
Tried this method on a personal account, and everything worked fine, however, when working on a client project, the issue comes back.
What could I be missing?
This was interesting to figure out.
I've used Account ID against one Google Analytics Account and that worked.
For the one I have been having an issue with, I needed to use the View ID.
I want to create a user account for contacting developers using their own email addresses, not a new Gmail user in my account. Google Cloud Platform seems to let me create the users, but they never receive an email and hence can't complete the account creation.
As it happens, they are Google Docs users with their own Google accounts, but naturally they'd rather not have yet another email address. Is this even possible or does Google tie Google Cloud Platform into Google Docs? It seems a major limitation of Google Cloud Platform if they do.
Google Cloud Platform, G Suite (formerly "Google Docs") and all other Google services share an identity system. The identity system requires humans to have user accounts while software|machines have service accounts. One Google user account equals one user.
There are 2 flavors of (Google) user accounts: [your-name]#gmail.com and those created by an organization for its users someone#acme.com. For example, Google uses Google identity internally and so Googlers have emails [their-name]#google.com.
When you create a Google Cloud Platform project, anyone with a Google account may be added to it. Whether their Google account is something#gmail.com or an account created by their employer for them.
The only time your users will receive an email from you when you add them to a Google Cloud Platform project is if you make them project owners. This is because, ownership requires acceptance of Google's Terms of Service. Other types of users will be added without receiving an email (from Google about it) but will be able to access your project's resources.
I suspect your users have been added correctly and you're ready to go!
the most simple is to share a directory with those off-domain email addresses
this is possible, because Google Docs is backed by Google Drive as storage.
setting them up with IAM would only add complexity, which is not required
(at least, unless you won't have to grant them access to GCP resources).
Prior to Google's restructuring of Cloud API access, I had a gmail account that had access to a bunch of Google Analytics accounts, through which I established API access via OAuth credentials for a large number of sites. They changed their policies and began requiring domains to be verified before they could access credentials. This was the case for "public" applications, but if you switched it to "private" the domain verification no longer mattered. I had to do this because making the project public was a violation of the TOS. However, this coincided with the introduction of GCP's IAM permissions setup that forced me to create an "organization" and a "project" - and also forced me to create a Google Cloud Identity.
The stipulation of a private project was that you can only grant access to accounts under your organization. I added my gmail account to the organization and gave it administrative permissions.
So, I'm here: I set up new OAuth credentials for a new site, then try to access the API through those credentials. During the initial authorization screen, it asks me to select the appropriate Google account, and then is SUPPOSED to ask me to allow access. Instead, I get this error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
BUT, the account I selected has been established as an administrator of the organization under which the API project resides! I have tried a billion different things, and the only way I seem to be able to grant access to ANYTHING is if I create the credentials under a different project and the log in with the GCI account. HOWEVER, that's not the account that has access to the Google Analytics, so it doesn't help me one bit.
To top it all off, Google has absolutely no support for this. They send me here, to Stack Overflow, to get support. Can anyone help?
The accepted answer didn't help. What helped were the following steps:
Go to Google Developer console (https://console.cloud.google.com/apis/credentials/consent?project=XXX)
Change User Type to External
Note: This does not make your site publicly accessible. It makes it so users outside your organization can be granted the normal way via IAM.
Linking an external email address does NOT make that identity part of the organization. Create a new identity based inside the organization. If your organization is example.com, create an identity such as john#example.com and use that identity. Your other option is to remove the restriction.