I am trying to use Apache libcloud to access GCP and hopefully be able to launch compute instances. So, following the documentation, I have created a service account on GCP associated with my email and given it the owner access for the moment. After that, I am using libcloud as follows:
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
ComputeEngine = get_driver(Provider.GCE)
driver = ComputeEngine('luca#googlemail.com', 'gcp-key.json', project='first-gcp')
This actually displays a URL and asks me to enter a code from it. When I click on the URL, I get the error message:
The OAuth client was not found.
This was not the workflow I was envisioning. I thought providing the secret key would just let me in and I would be able to then use methods for launching instances etc. So, I am not sure if I am doing the right thing by using a service account on GCP for this.
So, I get the following asking for a code:
So I get this:
Please Go to the following URL and sign in:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxx&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.full_control+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fndev.clouddns.readwrite&state=Libcloud+Request
Enter Code:
How should I approach this? We will be a few remote people working on this eventually so ideally each person will have their own key to use and this should happen in a bit autonomous way in the sense if codes do not need to be entered manually, that would be great.
From the Console (https://cloud.google.com/console), select your project. When your project is open, select "APIs & auth" and then "Credentials" as shown below:
In Development: Preferably make one for each, could use one for all for testing purposes.
In production: For each user to use this service, create a service account.
When you download the service account, you should have it as a .pem or .json file. Use the email address from the service account (if you open the json/pem you shd be able to see the email) and give it the correct values region/project/email and path to the pem file.
The code you're using is correct, avoid using the name "ComputeEngine" since it may be a keyword (even though it probably isn't, best practice)
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver
Driver = get_driver(Provider.GCE)
gce = Driver('your_service_account_email', 'path_to_pem_file',
datacenter='us-central1-a',
project='your_project_id')
Have a look here If you're confused on any steps. But this should def work.
Related
I am having trouble with the error shown in the image. Does anyone know how to solve this problem?
I would like to obtain a refresh token to use the "YouTube Data API v3".
I tried the following behavior.
Create a WEB type Client ID in the GCP console in advance.
Access https://developers.google.com/oauthplayground/, set the client ID and client secret in "1.", select https://www...../youtube and https://www...../youtube.upload from YouTube Data API v3, and then Authorize APIs execution.
When asked which account to use for OAuth
If you select my brand account, Google will block it as shown in the image.
[What I tried to solve]
The newly created Google account was able to obtain a token.
→ However, I really need to use the Youtube API with a branded account I already have.
I have tried turning on "Less secure app access" in the security settings of my branded account, but this did not solve the problem.
The target brand account is not managed by GoogleWorkspace.
Any information would be appreciated, I will provide any information needed, so if anyone knows anything, please help me.
Is there a way to see what project relates to an OAuth client ID? That or is there a way to show all projects and all their credentials if we're G Suite admins?
We have an OAuth client ID but can't seem to find where it's origin is from :/
You can use the following URL:
https://console.developers.google.com/apis/credentials/oauthclient/[your-client-id]
If you open it, replace your-client-id with your own Client ID, Google Cloud will manage to find the project it belongs to.
Then, there are two scenarios:
If your account has enough permission to manage that Client ID, you will see the settings page of your OAuth app. The project it belongs to will be in the upper left of the Google Cloud console.
If your account doesn't have enough permission, the Google Cloud console will throw an error saying something like: There was an error while loading /apis/credentials/oauthclient/[client-id]?project=[project-id]&folder=&organizationId=. Please try again. to view the page, you will see which project it belongs to.
So you can still have the project-id if you don't have permission to manage the Client ID.
Hope this helps.
I am using a trial version of Google CLoud. In the command line, I am logged in with a .json key file.
gcloud projects create training_project
returns
ERROR: (gcloud.projects.create) PERMISSION_DENIED: Service accounts cannot create projects without a parent.
But with a trial account, I can neither create an organization nor a folder to serve as a parent. So, how can I make a new project with the command line interface as a trial user?
I have read this question that concerns doing this with a REST API whereas I want to use the command line interface. Furthermore, that question is not about using a trial account.
As shown in the error message (this is also documented here), service accounts are not allowed to create projects outside of an organization and must specify the parent resource when creating a project. There is no workaround for this. Since a trial user cannot create an organization as you mentioned, you won't be able to use a service account to create a project.
Having said that, you can create a project via CLI when logged in as a user instead. You can log in by running:
gcloud auth login
and following the instructions. The gcloud projects create command will then run successfully.
I'm following the "Gauth authentication" portion of Djangae's documentation but I'm running into some unexpected behavior.
I've configured urls.py and settings.py as specified by the documentation (the current settings are mostly a result of using the Djangae Scaffold) but at no point are users prompted to authenticate using or link their Google account. I've tried un/setting DJANGAE_CREATE_UNKNOWN_USER but this has no impact.
I've also tried running commands inspired by sitepackages/prod/djangae/contrib/gauth/tests.py in my local shell in order to verify that the back-end configuration is correctly configured and that users can actually be authenticated against AppEngineUserAPIBackend but that fails because my User model (djangae.contrib.gauth_datastore.models.GaeDatastoreUser) seems to be missing required attributes: AttributeError: 'GaeDatastoreUser' object has no attribute 'user_id'.
So, am I misunderstanding how this is all supposed to work and must take some additional steps to get Google Sign-In working? Or have I (likely) misconfigured my application? (I'm happy to include genericized versions of my config, but as I said, they've come directly from Djangae Scaffold or the documentation.)
UPDATE: Interestingly, if I remove the --headless flag from my Behavior suite config, I see the expected behavior. The browser (Chrome) is being redirected to https://accounts.google.com/Login?continue=http%3A%2F%2Flocalhost%3A8080%2F
Environment:
Djangae (0.9.11)
Django (1.11.19)
It turns out that this is the expected behavior. In the local sandbox, users are prompted for an email address and (by default) a "user" is created for them and they are automatically logged in.
From App Engine's "Users Python API Overview" document:
Google accounts and the development server
The development server simulates the Google Accounts system using a
dummy sign-in screen. When your application calls the Users API to get
the URL for the sign-in screen, the API returns a special development
server URL that prompts for an email address, but no password. You can
type any email address into this prompt, and the app will behave as if
you are signed in with an account with that address.
The dummy sign-in screen also includes a checkbox that indicates
whether the dummy account is an administrator; that is, whether the
account has the the Viewer, Editor, or Owner primitive role, or the
App Engine App Admin predefined role. If you check this box, the app
will behave as if you are signed in using an administrator account.
Similarly, the Users API returns a sign-out URL that cancels the dummy
sign-in.
The unique ID for a User object in the development server is
calculated from the email address. Two unique email addresses always
represent two unique users in the development server.
Personally, I think this design is very flawed. I don't know what Google thinks about the Twelve Factor manifesto, but this behavior is a flagrant violation of article 10 (Dev/Prod Parity), which is summarized as "Keep development, staging, and production as similar as possible". I see no reason why the full auth/redirect flow wouldn't work in the local sandbox and, at the very least, users should be able to opt into it. (I would love to find out that this is an option.)
The most concerning part about this conditional behavior is that the user object's API is different, which is why I was seeing the error mentioned in my question ('GaeDatastoreUser' object has no attribute 'user_id'). The local user also has no nickname method.
I have an application that is run on multiple user systems, and using OAuth, allows the users to log in via Facebook, Twitter, etc. The entire point of the user logging in is to get settings and actions that the same user made while logged in on other computers, as identified by logging in with the same OAuth provider + provider user id. The application itself is written in C++ using Qt.
My question is this: how can I save the settings that a user made, and allow them to retrieve it in a secure way? I have a centralized server that I can store information using MySql tables, but I'm not sure the best way to have the user application prompt the server, and receive the data stored for that user.
Any ideas or places you could point me towards?
There are several ways I could think of with this, all have trade offs:
Generally I would store the data in mysql using some kind of string or object encryption/serialization method. I do not use Qt much but http://qt-project.org/wiki/Simple_encryption has some examples of very simple encryption that could be used.
Then the question becomes: What do you use as the key? I would go either with the key provided by OAuth for that user (which could be an issue if users de-authorize the app but still want access to this data) or some other user provided key (which is counter to using OAuth in the first place).
Another option is to go with Qt Users session http://qt-project.org/doc/qt-4.8/qtwebkit-guide-cache.html
This would maybe remove the need to encrypt since it should only be accessible within the users scope.
NOTE: Based on comments below it seems the issue is more about securing communication with the MySQL versus the data inside of MySQL. Waiting on user comments to revise my answer.