I've been trying to get data from GA using a service account, however, my issue is that it keeps saying;
Error: User does not have sufficient permissions for this profile.
I have enabled GA reporting API and given access to GA account using the email of the service account. In addition, it was granted "read and analyze" permissions on the account.
Tried this method on a personal account, and everything worked fine, however, when working on a client project, the issue comes back.
What could I be missing?
This was interesting to figure out.
I've used Account ID against one Google Analytics Account and that worked.
For the one I have been having an issue with, I needed to use the View ID.
Related
Years ago we needed to use the Google maps APIs to provide a search service. I used my personal Gmail account to set it up and get it going.
Now that it's been running I'm receiving notifications about it to my personal account but I'd like them to go to my work account instead. I've associated my work account with my google account so I'm able to login with my work account to my gmail account. I then tried to invite my work account to the project and that seemed to work. However the project only lists my personal gmail account as a project owner. Is there any way to change this to my work account?
I would suggest to go to Google Cloud IAM and add the new email as a new user to the project.
Give the user the same roles/rights as the previous one (especially if it should be an Owner).
Then you can test everything with the new user.
If everything is okay, you can remove the old user from IAM.
I'm using the Google Analytics API for a project and I would like to know if it's possible to request access to just one project from the user account instead of all of his projects.
So right now I'm asking for access to the following scope https://www.googleapis.com/auth/analytics.readonly and this grants me access to all the projects from the user account. Is there a way to narrow this permission to just one project and the user would select which project he would give me permission to read the data?
The way Oauth works with the Google Analytics api is when a user grants you access to their google analytics account. They are granting you access to everything in their google analytics account.
For me this is a problem because i have access to customer google analytics accounts and i dont want to grant third party applications access to them. Due to this limitation i have never been able to use third party applications.
There is no way to limit it. Its an all or nothing type of thing. I have brought it up with the team in the past currently there is nothing we can do about it.
I have a domain registered with Google Domains. I was trying to sign up for the Cloud Identity free version but some how I ended up into 14-day free trial of G-Suite premium. Even if I abandon that flow and restart with a different session, I end up in the G-Suite registration process. Is there a way to not sign up for G-Suite and only use the rest of the GCP?
I also wanted to sign up for Free version.
When I tried to do it via G Suite console (Billing-> New services) it only allowed me to sign up for the Premium.
When I tried using a link from GCP, it said that my domain is already in use by another Google service.
So, how I made it working:
I went back to G Suite -> Billing -> New service
Sign up for Cloud Identity Premium
Came back to the Billing page scroll down and clicked on "Cloud Identity Free"
Signed up for it
On the Billing page cancelled the subscription to the Premium
I followed this guide to sign-up for Cloud Identity free (today) and was not prompted for GSuite free trial nor when I went to the billing section, under my active subscriptions, I did not see a GSuite free trial sub.
Since you already verified your domain and did the sign up, you can go to admin console, then go to the billing section and look for the subscriptions that you're currently using which should be GSuite premium (trail) and Cloud Identity free. Remove GSuite subscription and just stick with Cloud Identity. If you're not able to view this Cloud Identity free subscription, then take a look at the following doc to understand how to "Upgrade or downgrade Cloud Identity".
Even though you sign up for Cloud Identity, it still uses the admin console which is considered "GSuite console", here you can create/manage your users,groups etc. for your domain/organization (GCP).
It seems like I resolved my issue. As it's all trial-and-error I am not sure what worked and why. Just some observations if someone else runs into this situation.
I waited for more than 14 days, the trial period for G-Suite
premium which the system some how thought I needed to complete.
As part of signing up for Cloud Identity, it no longer redirected
me. However, it didn't accept the email I wanted to use (which I
already used for the GCP account) saying that it's a personal
account.
So I ended up using another email with my domain and
that allowed me to complete the Cloud Identity registration. As part
of this I completed domain verification.
After this, there is an
option to "Rename User" which includes changing the email. I used
this to change the email back to the one I wanted and it got
accepted without any issues!
After this I tried to login and the
system recognized that there is a personal and a business account
and which one I wanted to signin to. I used business account and
made sure everything was working.
I also noticed that the GCP
account I originally had got under the organization (can be verified
by looking for "this account is managed by ..." when you click on
the profile.
At this point I went ahead and deleted the
unnecessary personal account associated with my business email.
Everything seems to be working and as expected (except why a youtube redirect is needed when doing a sign-in for enterprise services?)
Prior to Google's restructuring of Cloud API access, I had a gmail account that had access to a bunch of Google Analytics accounts, through which I established API access via OAuth credentials for a large number of sites. They changed their policies and began requiring domains to be verified before they could access credentials. This was the case for "public" applications, but if you switched it to "private" the domain verification no longer mattered. I had to do this because making the project public was a violation of the TOS. However, this coincided with the introduction of GCP's IAM permissions setup that forced me to create an "organization" and a "project" - and also forced me to create a Google Cloud Identity.
The stipulation of a private project was that you can only grant access to accounts under your organization. I added my gmail account to the organization and gave it administrative permissions.
So, I'm here: I set up new OAuth credentials for a new site, then try to access the API through those credentials. During the initial authorization screen, it asks me to select the appropriate Google account, and then is SUPPOSED to ask me to allow access. Instead, I get this error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
BUT, the account I selected has been established as an administrator of the organization under which the API project resides! I have tried a billion different things, and the only way I seem to be able to grant access to ANYTHING is if I create the credentials under a different project and the log in with the GCI account. HOWEVER, that's not the account that has access to the Google Analytics, so it doesn't help me one bit.
To top it all off, Google has absolutely no support for this. They send me here, to Stack Overflow, to get support. Can anyone help?
The accepted answer didn't help. What helped were the following steps:
Go to Google Developer console (https://console.cloud.google.com/apis/credentials/consent?project=XXX)
Change User Type to External
Note: This does not make your site publicly accessible. It makes it so users outside your organization can be granted the normal way via IAM.
Linking an external email address does NOT make that identity part of the organization. Create a new identity based inside the organization. If your organization is example.com, create an identity such as john#example.com and use that identity. Your other option is to remove the restriction.
We are attempting to use GCR's container analysis api to send notifications via pub/sub when a image vulnerability has been found. We were able to get this working fine with a full admin account but have been unable to get a service account working.
We've confirmed the service account has full access to the Container Analysis API in the dashboard however any request we make gets denied. Our error occurs specifically when we call containerClient.GetOccurrence in the golang library.
Is there a special permission that needs to be granted at the project level for this to work?
Managed to answer my own question..
The service account in question was missing the roles/containeranalysis.occurrences.viewer role in IAM.