I want to be able to invoke a GloudRun endpoint by one of my GKE pods.
When I describe my VMs/instances that comprise my GKE cluster, I see
serviceAccounts:
- email: 873099409230-compute#developer.gserviceaccount.com
So I added the CloudRun Invoker role to the above service account.
I have enabled CloudRun with Authentication Required.
However when I exec to one of my pods and try to curl the endpoint I get 403 (which I also get from my laptop, but the later is expected).
Any suggestions?
Curl don't know Google Cloud security. I mean that cURL don't know how to add the security token to your request. For this, you have to explicitly add the token in the header of your request.
From my computer I use this, because it's my personal account which is defined in Gcloud SDK.
curl -H "Authorization: Bearer $(gcloud config config-helper --format='value(credential.id_token)')" <URL>
With a service account defined in gcloud, you can use this command
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" <URL>
In both case you have to add the authorization header to your request.
In your code, if you use google libraries, you can use default credential, your default compute service-account will be used. cURL don't know do this!
Related
We have a Django application is hosted on GCP cloud run and sits behind IAP for user authentication. Our use case was to generate token on a local machine by a user and after getting the token. Followed IAP Programmatic authentication but was getting the following error.
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (xxxxxxxx.apps.googleusercontent.com) doesn't match expected value (yyyyyyyy.apps.googleusercontent.com)
Expected result was a JSON response with token in it.
We solved the following issue by passing an 'audience' body param to the following code and tweaking original doc provided by GCP:
curl --verbose \
--data client_id=DESKTOP_CLIENT_ID \
--data client_secret=DESKTOP_CLIENT_SECRET \
--data code=AUTH_CODE \
--data redirect_uri=http://localhost:4444 \
--data audience=IAP_OAUTH_ID \
--data grant_type=authorization_code \
https://oauth2.googleapis.com/token
This IAP_OAUTH_ID is auto-generated by GCP when you turn on the IAP and is present under OAuth 2.0 Client IDs in APIs & services > Credentials section of GCP.
Our guess is when we try to generate token for IAP using our local machine without passing 'audience' in the body, it does generate token but for some other instance of IAP which obviously won't work with the one hosted on GCP, which is sitting in front of cloud run load balancer.
Therefore to make it work correct instance of IAP for which token is getting generated also has to be passed, which is done using the audience body param.
I am using SecretManager Service of GCP and is using client libraries to access secrets.
My prod and dev credentials are different.
If we want to use these client libraries, the service account file needs to exported as GOOGLE_APPLICATION_CREDENTIALS variable. This is required as GCP checks whether the exported service account has the required permission to access Secrets.
As of now, I provide these service account file in code and export them in makefile and Dockerfile before the start of the server
Now, I want to access the service account file too from the SecretManager and that can't be done using client Libraries.
I went through the best practices of Secret Manager and there it is not recommended to provide secrets via filesystem or environment variables as it is vulnerable to attacks
The only option that I can think of is to access this service account file secret by using secretManager curl API in dockerfile but that would be complex as I also have to decode the utf-8 secret using bash.
curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id/versions/version-id":access --request "GET" --header "authorization: Bearer $(gcloud auth print-access-token)" --header "content-type: application/json"
Is there any other best practice recommended for handling this situation?
curl -X "POST" "https://my.tapkey.com/api/v1/owners/xxx/grants/xxxx/revoke" \
-H 'Authorization: Bearer xxxx'
I get
{"Message":"The requested resource does not support http method 'POST'."}
I created a grant and I wanted to delete it because I was testing. I thought that revoke can be something similar. I guess I am wrong about the grant concept here.
Is there a way to delete grants?
Why the error message is telling me that the revoke endpoint does not support POST?
As specified in the documentation for this endpoint, you need to specify dryRun query parameter.
https://my.tapkey.com/api/v1/owners/xxx/grants/xxxx/revoke?dryRun=false
With gcloud I am logged into a terminal window with my email address, me#gmail.com. This project has the Gmail API enabled, and I am owner of this config. gcloud auth list shows
`Active Account`
`*me#gmail.com`
gcloud projects get-iam-policy $PROJECT shows that me#gmail.com as owner
I have an Oauth client/secret created in the project. My intent it to generate an access token to authenticate to the gmail API via the terminal with
`curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://gmail.googleapis.com/gmail/v1/users/me/labels`. (me is my actual email address)
Doing so gives me a 403. I can, however, use https://developers.google.com/oauthplayground/
and get a token with my particular scopes fine. Do I need to pass the Oauth Client Id to print-access-token? Why wouldn't owner have permissions over all possible actions in an API that's enabled?
EDIT: I have tried logging with auth application-default credentials as well with the same result.
TIA
You don't have the correct scope. You need to correctly scope your credential. Start by using this command to add the scope that you want in your credential
gcloud auth application-default login \
--scopes='https://mail.google.com/',\
'https://www.googleapis.com/auth/cloud-platform'
Then use the application-default access_token to call your service
curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
https://gmail.googleapis.com/gmail/v1/users/me/labels`. (me is my actual email address)
It should work better.
I ignorantly deleted the service account to my GCP project rather than the service account to Google Calendar API and Dialogflow service account.
I'm now having issues trying to deploy my dialogflow agent through the inline code editor to Cloud Functions.
When I check the logs, I get this message:
2020-07-30 15:48:40.350 WAT
Dialogflow API
CreateCloudFunction
us-central1
bashorun.emma#gmail.com
userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist.
Please recreate this account (for example by disabling and enabling the Cloud Functions API),
or specify a different account.;
com.google.cloud.eventprocessing.manager.api.error.DefaultServiceAccountDoesNotExistException: userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.; Code: FAILED_PRECONDITION com.google.apps.framework.request.StatusException: <eye3 title='FAILED_PRECONDITION'/> generic::FAILED_PRECONDITION: userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist.
Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.; com.google.cloud.eventprocessing.manager.api.error.DefaultServiceAccountDoesNotExistException: userFacingMessage:
Default service account 'northern-timer-231210#appspot.gserviceaccount.com' doesn't exist. Please recreate this account (for example by disabling and enabling the Cloud Functions API), or specify a different account.; Code: FAILED_PRECONDITION
Is it possible to retrieve back the service account or am I getting these errors as a result of a different problem?
After a service account is deleted, you can recover it between 30 days after its deletion.
To do it, you can run the following command from cloud shell:
gcloud beta iam service-accounts undelete ACCOUNT_ID
The account ID can be taken from stackdriver logging with the following filter
resource.type="service_account"
resource.labels.email_id="service-account-name"
"DeleteServiceAccount"
Hope this helps to recover your service account.
Recover App Engine or any deleted service account
You can undelete service accounts. You will need the service account's unique ID. If you don't have it, you can find it on Google Cloud Logging.
You can find Logging service here on the side menu:
Then you will need to filter by date and type service account to find the exact moment the service was deleted.
Then you can either
Option 1: Use Google Cloud Command Line
You can run the command line by installing it on your computer (https://cloud.google.com/sdk/docs/install). Or you can run it online using the Active Shell offered by Google Cloud Platform.
The command you want to run is the following.
gcloud beta iam service-accounts undelete 12345678901234567890
Option 2: Use Google Cloud API
Using curl, call the API with the following command.
You will need to change API_KEY, PROJECT_ID and SERVICE_ACCOUNT_UID for real values.
curl -X POST \
-H "Authorization: Bearer API_KEY \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SERVICE_ACCOUNT_UID:undelete"
You can get the API_KEY from Google Cloud Command Line:
gcloud auth application-default print-access-token
Again you can either have gcloud installed on your local machine or you can use it online with the Active Shell.