While trying to execute a query on local emulator using Java client API, I am getting the following error -
com.google.cloud.spanner.SpannerException: PERMISSION_DENIED: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Caller is missing IAM permission spanner.sessions.create on resource projects/test-project/instances/test-instance/databases/testdatabase.
How can I provide this user the capability to create a session on local spanner emulator?
The Cloud Spanner emulator does not implement any IAM and requires you to connect to it without any credentials, so this error seems at first sight to indicate that either:
You are not connected to the emulator after all, and this error is coming from a the real Cloud Spanner.
You have connected to the emulator with credentials.
Would you mind sharing the part of your code that is creating the connection?
First of all make sure that you've followed the following steps to configure your local environment appropriately. Basically make sure that all the Cloud Spanner related APIs are enabled and run the following command:
gcloud auth application-default login
By making sure that the account used for authentication has a role with enough permissions as described on the Access Control documentation. The Cloud Spanner Database Admin should allow you to issue your query, but you can create a custom role if you think that the permissions granted by the mentioned predefined role are too much.
The official documentation advises to create a separate gcloud configuration and making sure that you set the SPANNER_EMULATOR_HOST environment variable is set in the following way (check the correct info here:
export SPANNER_EMULATOR_HOST=localhost:9010
Related
I have tried to set up this repo: https://github.com/xtreamsrl/clockify-nlp-bot but for different reasons, this seemed to be too complex for me to start. So I have decided to follow this tutorial: https://learn.microsoft.com/en-us/azure/bot-service/abs-quickstart?view=azure-bot-service-4.0&tabs=userassigned
Now there is a problem when I create the bot. If I follow the guide 1:1 my bot isn't starting as expected. I always get the following message:
Unfortunately, nearly every tutorial you can find on youtube uses the deprecated "Web app bot" service instead of the "Azure bot".
Do you have an idea what is going wrong there? Or how to further troubleshoot? Thanks.
The issue seems related to permissions. Probably you don't have required permission to deploy the resources.
If you are deploying resource as Azure AD user or group member, make sure you have relevant permissions. Make sure you have required permission at Subscription level and resource group level.
For me it deployed successfully.
does anyone know how do i give permission from my project in GCP to a function created and deployed in firebase? Because what i'm doing is the following:
From a site (deployed also in firebase) y call to the backend (Firebase Function)
The function itself, tries to get resources from my GCP project (in specific what instances are currently running)
Then, i receive them and show on the front.
The step 2 is causing my problems, currently when i'm trying to run it, it gives me the error:
Error: could not handle the request and in the log from firebase function i got: GaxiosError: Required 'compute.instances.list' permission for 'projects/projectID' so i know for sure that's a problem of authorization.
All this project worked just well 2 months ago, but my free trial expired and we tried to move to another GCP account and try to finish this project (With this i know the code works just right, the problem is for sure GCP because also, when i use others API ENDPOINTS not related to GCP resources, they work just well).
Any recomendation would be amazing, and if i didn't gave enough info just tell me. Thanks u for your time
Add an IAM role containing the required permission to the Cloud Function service account.
For example the role roles/compute.viewer has the permission compute.instances.list.
Review this page to learn more about Compute Engine IAM roles:
Compute Engine IAM roles and permissions
Firebase Functions are Cloud Functions. Cloud Functions uses the App Engine default service account for access control. The format of the service account's name is: PROJECT_ID#appspot.gserviceaccount.com. Find that service account under IAM and add the role mentioned above.
Cloud Functions Access Control
I'm working on a Node app that has been uploaded as a Docker image to ECR and which runs as part of an ECS cluster and which connects to DynamoDB.
We can't debug the app locally -- we haven't been able to get the connection from Loopback to DynamoDB Local to work, but that's another story -- and so I thought perhaps I could use Cloud Debugging. I don't know much about Cloud Debugging, but I wanted to try it out to see if it would help with our use case.
I installed the AWS Toolkit for WebStorm (https://plugins.jetbrains.com/plugin/11349-aws-toolkit/) and have tried to start using Cloud Debugging. I have up-to-date credentials (shared credentials stored in ~/.aws/credentials), but it appears my role doesn't have the correct permissions. (see image)
Our AWS administrator wants to know exactly what permissions I need. The only information I could find was here https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/key-tasks.html#key-tasks-install, but our administrator said that that asks for me to have administrator permissions, which he won't give me.
I received this answer earlier today: it would seem that the help link in the plugin points to the wrong page. The correct one, with the correct information, is here .
I am trying to release multiple projects in 1 solution using Azure Release pipeline
They are all connected to the same Azure Subscription, but some do deploy to the given app service while others give an unauthorized error.
Ive looked into it and i read that adding website_webdeploy_use_scm to the app service should help the Unauthorized error, but this didnt help for me.
What else could i look at? I connect through Azure Devops so i just selected the subscription from the list it automatically gathers from Azure because im logged in using the same logins as i use for Azure Portal
the full error is:
Connected to the remote computer ("xxxx.azurewebsites.windows.net") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.
Error: The remote server returned an error: (401) Unauthorized.
according to the error I'd suggest you check service principal permissions. it probably lacks the permissions required to manage those webapps.
So after refresh publishing profile in Azure Portal and trying it again it fixed itself so im not sure if that caused it or not but it worked!
another fix is to delete the slot and make it again
I made a simple Node.js application that is using Google Cloud's Speech to Text API.
I could successfully authenticate locally, but how do I authenticate in production while keeping the credentials privates?
P.S. My application is not using any other server than Google's servers.
The credentials necessary for making client calls are based on a strategy called Application Default Credentials. These can be found through an environment variable called GOOGLE_APPLICATION_CREDENTIALS if the variable is present. If the the variable is not set, then the default credentials can be used. The following article provides detailed guidance on this topic:
Setting Up Authentication for Server to Server Production Applications
If your client is running outside of Google on your own premises (and hence not in a Compute Engine or GKE cluster) then the thinking will likely be that the credentials are contained in a file that is itself content protected by local OS access permissions. For example, contained in a file which has read permission restricted to either the user that runs your application or group that the user is a member of.
You need to be more specific to get more accurate answers
====================
OK, it's all about how you control the permission of your service account and there is a note in that page: "If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts."
You should use a specific service account needed to use this service. I don't have the particular role name(something like AutoML Viewer or Editor), and you need to test a minimum workable role in your Dev ENV.
After which, you can deploy your service into PROD and make sure the key with a 0400 file. So more or less the account can use limited service as expected