Google Admin SDK authentication with service account - google-cloud-platform

My team is currently developing an application to list my company's domain users in GCP, using the Admin SDK, for onboarding and offboarding purposes.
We're using a service account to do this and we've have added the admin.directory.user.readonly scope, in the Google Admin's advanced settings, to it. The Admin SDK API is activated and we can see the service account in the Credentials area.
When we invoke the https://www.googleapis.com/admin/directory/v1/users endpoint with the parameters viewType=domain_public and domain=[our domain], while using an access token generated with oauth2l, we receive the following message:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "Not Authorized to access this resource/api"
}
],
"code": 403,
"message": "Not Authorized to access this resource/api"
}
}
Could there be any domain restriction being applied that we don't have vision of?

The service account does not have permission to call Directory APi for your G Suite instance. What it does have access to do is act as a user in your domain within the context of the Directory API scope(s) you granted it access to.
When getting service account credentials you need to add the sub=admin#yourdomain.com parameter so that you are acting as your domain admin, not the service account. See:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
And some code examples at:
https://developers.google.com/admin-sdk/directory/v1/guides/delegation

Related

How to check for user role in AWS API gateway authorizer?

I am trying to do authentication and authorization with AWS Cognito and AWS API Gateway.
I managed to give the user a JWT token when logged in and when performing a certain get request on my gateway it checks for the Authorization header and verifies it with Cognito (user pools).
The problem that I am facing is that it does not check for any user role. Certain users are in my Cognito admin group, but I can't specify that only users from the Admin group can make such requests. Currently, if any user that has a valid JWT token does that GET request on the API Gateway it executes it.
I thought I could maybe use a custom lambda authorizer in order to check the role. This would not be very secure since you (a potential hacker) could still temper with the JWT token to change this
"cognito:groups": [
"User"
],
"iss": "",
"version": 2,
"client_id": "6uad7uthfhv3a7p9aihdbjl3tt",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin phone openid profile email",
"auth_time": 1668780261,
"exp": 1668783861,
"iat": 1668780262,
"jti": "",
"username": "test"
}
To this:
"cognito:groups": [
"Admins"
],
"iss": "",
"version": 2,
"client_id": "6uad7uthfhv3a7p9aihdbjl3tt",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin phone openid profile email",
"auth_time": 1668780261,
"exp": 1668783861,
"iat": 1668780262,
"jti": "",
"username": "test"
}
And encode the token again to make API calls that he should not be able to do.
Another thought I had was to check from the Lambda authorizer directly with Cognito if the user has the correct roles, but I do not know if that is even possible.
Is there a better, more logical way to check with Cognito if the user is inside the user pool AND if it has the correct role?
First thing is, we should have a properly implemented JWT validation mechanism in place. With that, tampered tokens can be easily identified.
Please read this article for more details. It says:
JSON Web Tokens are a good way of securely transmitting information
between parties. Because JWTs can be signed—for example, using
public/private key pairs—you can be sure the senders are who they say
they are. Additionally, as the signature is calculated using the
header and the payload, you can also verify that the content hasn't
been tampered with.
So in the Lambda authorizer we can do that JWT validation. Then based on the request path and the assigned roles, it should be able to decide whether to invoke the API or not.

GCP Anthos - AWS

I am trying to add my cluster in AWS to GCP/Anthos. I follow the GCP documentation (https://cloud.google.com/anthos/clusters/docs/multi-cloud/aws/quickstart) but my cluster within GCP has an error with the status "Unreachable Agent - please check if GKE Connect Agent is deployed correctly." My Antos is on and all required services are enabled. I am not sure what is missing. Are you able to help?
When I run "cloud container aws cluster create ..." from the GCP shell I noticed the following error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "CREDENTIALS_MISSING",
"domain": "googleapis.com",
"metadata": {
"service": "gkemulticloud.googleapis.com",
"method": "google.cloud.gkemulticloud.v1.AwsClusters.GetAwsCluster"
}
}
]
}
}
Unreachable agent error is due to when Connect Gateway is not set up properly.Follow this doc and set the connect gateway.
https://cloud.google.com/anthos/multicluster-management/gateway/setup.
Try logging in from GCP console under GKE via the user connect gateway is setup.

Permission 'documentai.processors.processOnline' denied on resource (or it may not exist)

I am trying to send a POST request to the Cloud Document AI API using Postman. I have tried sending a POST request with the API key included, along with providing an OAuth access token as the OAuth 2.0 Authorization (generated using gcloud auth application-default print-access-token). However, this error is returned:
{
"error": {
"code": 403,
"message": "Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/projects/<project id>/locations/us/processors/<processor id>' (or it may not exist).",
"status": "PERMISSION_DENIED",
"details": [
{
"#type": "type.googleapis.com/google.rpc.ErrorInfo",
"reason": "IAM_PERMISSION_DENIED",
"domain": "documentai.googleapis.com",
"metadata": {
"resource": "projects/<project id>/locations/us/processors/<processor id>",
"permission": "documentai.processors.processOnline"
}
}
]
}
I think this this a problem with the service account permission. If so, is there any way I can resolve this if I don't have the access to change roles?
Just to give an update to this question. The problem was related to the service account permission. There is no way to resolve this without setting up your service account with the correct permission. Once you have correctly set up your service account, by using the service account key of said account, you should be able to resolve this problem.
TLDR; Follow the documentation (https://cloud.google.com/document-ai/docs/setup#auth) properly. If you don't have access to the Google Account (like I did), try to get access to it. If not, I don't think there is another way around it.
I struggled with this question as well. To resolve the issue, go to IAM roles and change the role of your service account to Document AI service user. The default is Document AI service Agent

Google Cloud Storage write with REST API throws "billing not enabled" error for new bucket

I'm attempting to upload files to a GCS bucket from my server. This works perfectly fine for the app engine bucket Google App Engine created for the project but if I create a new bucket and attempt to write to that bucket I get the following :
{
"error": {
"code": 403,
"message": "The account for bucket \"flow-292019-cdn\" has not enabled billing.",
"errors": [
{
"message": "The account for bucket \"test-project-cdn\" has not enabled billing.",
"domain": "global",
"reason": "accountDisabled",
"locationType": "header",
"location": "Authorization"
}
]
}
}
All permissions are exactly the same in the configuration. Billing is definitely enabled for the project. I'm at a loss on this one.
I would recommend to follow the official documentation for your use case :
Troubleshooting
403: Account Disabled Issue: I tried to create a bucket but got a 403
Account Disabled error.
Solution: This error indicates that you have not yet turned on billing
for the associated project. For steps for enabling billing, see Enable
billing for a project.
If billing is turned on and you continue to receive this error
message, you can reach out to support with your project ID and a
description of your problem.

Upload to bucket with customer-managed encryption fails

Based on https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys
Steps to reproduce:
Create key ring and key in Cloud KMS in a specific location
(us-central-1 for example).
Grant permission Cloud KMS CryptoKey Encrypter/Decrypter to the storage service account for the created key.
Create a new regional bucket in the location (us-central-1) and set created KMS key for encryption.
Try to upload a file to the bucket.
Result:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "forbidden",
"message": "We're sorry, but the Cloud KMS encryption feature is not available in your location; see https://cloud.google.com/storage/docs/encryption/customer-managed-keys#restrictions for more details."
}
],
"code": 403,
"message": "We're sorry, but the Cloud KMS encryption feature is not available in your location; see https://cloud.google.com/storage/docs/encryption/customer-managed-keys#restrictions for more details."
}
}
I'm quite sure it is a misconfiguration issue but couldn't figure out my mistake. The request goes not from restricted country - https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#general_restrictions