I am currently deploying a Django application to GCP Cloud Run.
I have replaced Cloud Run Default Service Account (....compute#developer.gserviceaccount.com) with a custom one.
But I get an error message:
AttributeError: you need a private key to sign credentials.the credentials you are currently using <class 'google.auth.compute_engine.credentials.Credentials'> just contains a token. ...
This bit is confusing me:
<class 'google.auth.compute_engine.credentials.Credentials'>
The error reported of the context of Django Storages which I use to store files.
Is this message means the service account which is used by Cloud Run is still the default one (GOOGLE_APPLICATION_CREDENTIALS is set as Compute Engine)?
Why not the Custom Service Account is used as an Identity for the Cloud Run?
Why Cloud Run still checking the Default one I expected I replaced it with te Custome Service Account?
I am a bit new with the IAM, but if somebody could explian why it is happeing would be appriciated.
I'm trying to get my Flask App Engine project to read data stored in Cloud SQL MySQL 5.7 database. Something has gone wrong as all I've gotten are pymysql.err.OperationalError. I've been following the instructions here: https://cloud.google.com/sql/docs/mysql/connect-app-engine.
The Cloud SQL Admin API is enabled.
According to the linked document:
App Engine uses a service account to authorize your connections to Cloud SQL. This service account must have the correct IAM permissions to successfully connect. Unless otherwise configured, the default service account is in the format service-PROJECT_NUMBER#gae-api-prod.google.com.iam.gserviceaccount.com.
The IAM page listing the permissions for my project doesn't contain a member in the above format. The "App Engine default service account" is of the format: my-project-name#appspot.gserviceaccount.com. This service account has Cloud SQL Client and Editor roles.
While my queries are unsuccessful, after each attempt I note in the Logs Viewer:
7183 [Note] Access denied for user 'www-data'#'cloudsqlproxy~xxx.xxx.xx.xx' (using password: YES)
(IP address redacted). This is somewhat confusing as 'www-data' isn't a user I specified in my code.
The code used to connect:
app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql+pymysql://' + ':' + db_user + '#/' + db_name + '?unix_socket=/cloudsql/' + connection_name
Where have I gone wrong and how might I fix it?
This error is a mySQL error when trying to connect to a database with wrong credentials.
Please verify that the values you are using are the right ones.
If you dont rember the database username and password you can change it on the console by following the next steps which are also expalined here
Go to CloudSQL console
Select your database
Go to users
next to the user select click on the three dots
And select Change password
Type the new password and click OK
Mostly likely, you're building and testing your app locally where you're supplying your credentials with a username that has access to Cloud SQL. Upon build, unless you otherwise specify, a default username will be assigned to the app engine instance.
To fix this:
Head over to IAM & admin
Search for the app engine account --> ending with gae-api-prod.google.com.iam.gserviceaccount.com
Edit
Assign permission Cloud SQL Client
Let me know if this solves it for you!
I'm trying to get the list of the intents in my Dialogflow agent using Dialogflow's V2 APIs but have been getting the following error:
PermissionDenied: 403 IAM permission 'dialogflow.intents.list' on 'projects/xxxx/agent' denied.
I adopted the following steps:
I created a new agent(with V2 APIs enabled) and a new service account for it.
I downloaded the JSON key and set my GOOGLE_APPLICATION_CREDENTIALS variable to its path.
Following is my code:
import dialogflow_v2 as dialogflow
os.environ["GOOGLE_APPLICATION_CREDENTIALS"]="/home/user/folder/service-account-key.json"
client=dialogflow.IntentsClient()
parent = client.project_agent_path('[PROJECT_ID]')
for element in client.list_intents(parent):
pass
I have made various agents and service accounts and even changed the role from Admin to Client but can't figure out any solution. I tried the following solution but didnt' work
Tried Solution: DialogFlow PermissionDenied: 403 IAM permission 'dialogflow.sessions.detectIntent'
There is no need for creating a new Agent. You can edit the existing agents IAM.
In Dialogflow's console, go to settings ⚙ > under the general tab, you'll see the project ID section with a Google Cloud link to open the Google Cloud console > Open Google Cloud.
In google cloud, go to IAM Admin > IAM under tab Members. Find the name of your agents and then click on edit.
Give admin permissions to the agent to give permissions to list intent.
The problem lies in the IAM section of GCP. Probably you are making a POST request with a role that does not have the necessary authorizations.
Look into your key.json file that contains the field "client_email"
Proceed to the IAM page and set the relevant role with that email to
a role that has posting capabilities. (e.g. Admin)
This solved my problem.
In Dialogflow's console, go to settings ⚙ > under the general tab, you'll see the project ID section with a Google Cloud link to open the Google Cloud console > Open Google Cloud.
(Optional) In the Cloud console, go to the menu icon > APIs & Services > Library. Select any APIs (if any) > Enable.
In Cloud Console > under the menu icon ☰ > APIs & Services > Credentials > Create Credentials > Service Account Key.
Under Create service account key, select New Service Account from the dropdown and enter a project name and for role choose Owner > Create.
JSON private key file will be downloaded to your local machine that you will need.
For Javascript:
In the index.js file you can do service account auth with JWT:
const serviceAccount = {}; // Starts with {"type": "service_account",...
// Set up Google Calendar Service account credentials
const serviceAccountAuth = new google.auth.JWT({
email: serviceAccount.client_email,
key: serviceAccount.private_key,
scopes: 'https://www.googleapis.com/auth/xxxxxxx'
});
For Python:
There's a Google Auth Python Library available via pip install google-auth and you can check out more here.
When you create the intentClient, use following:
key_file_path = "/home/user/folder/service-account-key.json";
client=dialogflow.IntentsClient({
keyFilename: key_file_path
})
Intents list
This error message is usually thrown when the application is not being authenticated correctly due to several reasons such as missing files, invalid credential paths, incorrect environment variables assignations, among other causes. Keep in mind that when you set an environment variable value in a session, it is reset every time the session is dropped.
Based on this, I recommend you to validate that the credential file and file path are being correctly assigned, as well as follow the Obtaining and providing service account credentials manually guide, in order to explicitly specify your service account file directly into your code; In this way, you will be able to set it permanently and verify if you are passing the service credentials correctly.
Passing the path to the service account key in code example:
def explicit():
from google.cloud import storage
# Explicitly use service account credentials by specifying the private key
# file.
storage_client = storage.Client.from_service_account_json('service_account.json')
# Make an authenticated API request
buckets = list(storage_client.list_buckets())
print(buckets)
Try also to create project in DialogFlow Console
https://dialogflow.cloud.google.com/
You need to create the following as environment variable
googleProjectID: "",
dialogFlowSessionID: "anything",
dialogFlowSessionLanguageCode: "en-US",
googleClientEmail: "",
googlePrivateKey:
I think you might have missed the Enable the API section in the documentation setup.
Here is that link:
https://cloud.google.com/dialogflow/cx/docs/quick/setup#api
After clicking the link, select the chatbot project you created and fill the necessary instructions given there.
The permissions that I have given for that project are Owner, and editor.
After this, try the code in this link:
https://cloud.google.com/dialogflow/es/docs/quick/api#detect_intent
You should get a response from your chatbot
Hope this helps!
I'm using Nativescript with AWS Amplify to login to AWS AppSync.
The session stored by Amplify is cleared after app refresh. I get no user from Auth.currentSession() after app refresh.
However, I store the jwt from login and can access endpoints manually by passing that in header.
I would like to use this to make Amplify believe that a user is logged in to use it in other parts of the application.
Is there a way to manually set credentials to use all the functionality of Amplify?
And how is successful login handled? How can I emulate the behaviour after successful login to set current session credentials manually?
There is no possible way to this this as of now, however according to this and this issue on github, they have acknowledged this as a feature-request and are probably working on this.
The solution to my problem was to use the nativescript-localstorage module and assign global["storage"] to this module.
import * as storage from "nativescript-localstorage"
global["storage"] = storage;
Am trying to migrate my oracle database to a AWS Redshift cluster, and am following the steps as documented here in the AWS website.
When I try to create a project in AWS Schema Conversion Tool, configure for Oracle (running in my laptop), am unable to get successfull connection, and here is the error
Connection to 'jdbc:oracle:thin:#localhost:1521:orcl' wasn't
established. ERROR: code: 28009; message: ORA-28009: connection as SYS
should be as SYSDBA or SYSOPER
Please note that in Schema Conversion Tool project page, I don't see a section "Connect as SYSDBA" option? I tried with some other sample users such as SCOTT, and I get Insufficient privileges.
With the same configurations am able to connect from a sql client, SQLWorkbench.
Appreciate any help please. Thanks
To connect to Schema conversion tool you need a user having permissions as connect ,select_catalog_role and select any dictionary. Make sure these permissions are set correctly. Either create a new user with these permissions or modify rights of exiting user. SYS\SYSDBA will not be helpful.
As you are in localhost, with given permissions, you should be able to connect.
You can also connect using sys, in user name field provide the user name like this
sys as sysdba
As per the AWS documentation if Oracle is a source DB then user should be created like this.
CREATE USER oracle_sct_user IDENTIFIED BY password;
GRANT CONNECT TO oracle_sct_user;
GRANT SELECT_CATALOG_ROLE TO oracle_sct_user;
GRANT SELECT ANY DICTIONARY TO oracle_sct_user;
and AWS DMS requires oracle user to have some privileges, detail can be found here.
https://docs.aws.amazon.com/dms/latest/sbs/CHAP_Oracle2PostgreSQL.Steps.ConfigureOracle.html