PermissionDenied: 403 IAM permission 'dialogflow.sessions.detectIntent' on 'projects/XXXX-live/agent' denied.
I have used the DialogFlow client as a role while creating the service.
What could be the problem?
When I was playing around with permissions with service accounts, I also encountered the same problem. I created a completely new service account and then gave it the client role, and it worked for some unknown reason.
I would suggest trying to create another account and then giving it the client role and seeing if it works for that account.
Also, this isn't necessarily a kosher fix per say, but if you give the account the admin role, then your problem will also be solved.
Edit: At first I thought it might have to do with how the service accounts were created (cloud console vs. command-line), but it seems that's not the case. For some reason it's just the first service account that you create that a client role doesn't work for.
I faced the same issue while integrating Dialogflow with external client.
The root cause for my case was that even though I created the service account for my external client, I forgot to add the service account and give "Dialogflow API Admin' Role.
How I resolve: In GCP project, go to IAM > click the top "+ADD" button and search for the service account that you want to grant permission access, choose role type "Dialogflow API Admin"
I solved my error by doing this
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file(
'C:\\Users\\ashis\\Downloads\\id.json')
def create_intent(project_id, display_name, training_phrases_parts,
message_texts):
"""Create an intent of the given intent type."""
intents_client = dialogflow.IntentsClient(credentials=credentials)
# session_client = dialogflow.SessionsClient(credentials=credentials)
Then I went to the IAM settings for my project
https://console.cloud.google.com/iam-admin/iam?project=
and gave the dialogflow service account members a higher role(like project owner).
You have to give permission to the mega agent.
Related
I'm trying to have my server automatically create android in app payment products.
I'm currently using the googleapis npm package and a service account. The service account has the View financial data, Manage orders and subscriptions, and View app information (read-only) permissions. The service account can validate receipts perfectly fine, but upon trying to create a product using google.androidpublisher("v3").inappproducts.insert() it returns Error: The caller does not have permission
As far as I can tell the caller is the service account that has been given the permissions to do payment stuff. My one other option is to just give the account every possible permission and wait the day or so it takes for the permissions to propagate. In the meantime is there anything else I can do to give the service worker the needed permissions in order to be able to create in app products?
I am trying to create a new Blazor server app and configure it to use a new Azure Active Directory that I recently created. I have found a couple tutorials online showing how to do this, including one from Microsoft, but I keep encountering an error that says "The user account doesn't have the required permissions to access the domain."
I read online that I needed to verify that my user account is assigned to the Global Administrator role, which I did and it is. I have tried to create 3 different active directories in Azure to see if it was a fluke, but I have received the same error message each time.
Any help that you are able to provide would be greatly appreciated.
Make sure that you have signed in to Visual Studio with an admin account of the domain (here it should be "thomasagarza#yahoo.com").
After adding the account, you can apply filter for it (select the domain it is an member in). Make sure you have added it as the guest of that domain and assign Global Admin role to it.
Then all the related domains will be listed when you create a new project with Work or School Accounts Authentication. Select the domain which "thomasagarza#yahoo.com" is the admin in and click on OK. Generally you won't be required to enter your credential again in this step.
Please note if you have a custom domain for your AAD tenant and have made it primary, the domain listed here will be the custom domain name. In this case, if you manually set the domain as the format "***.onmicrosoft.com", you will get the error you are facing.
I am using .Net Core App with hosting it on Azure Portal. Now at some place I need to use Get the detail of logged in User (Active Directory user) in the application. So for that I am using Microsoft Graph API. So to setup this permission I am using Get-AzureADServiceAppRoleAssignment command. It is working fine when I run this command with Global Administrator account access. But it throws error when I used it without Global Administrator account access.
Error: Service_InternalServerError. as shown in below image.
Anyone have an idea or suggestions how to get rid of this error, and Is there any way to run this script without Global Admin access?
Any help or suggestions will be highly appreciated !
Thanks
Assign the Cloud Application Administrator directory role to the affected user and try again.
the problem here is you don't necessarily need global admin, but the application/user would need a role that has at least roleassignment permissions. so you could create a custom role at the subscription level that has role assignment permissions.
you need
"Microsoft.Authorization/roleAssignments/"
and maybe
"Microsoft.Management/managementGroups/read"
"Microsoft.Authorization/roleDefinitions/"
However, I would like to point out that if an application has role assignment permissions, it can technically assign itself a global admin role.. so it doesn't add any extra real security.
I need to schedule two cloud functions to run at a predefined time using Cloud Scheduler. However, when I click on the Cloud Scheduler tab it shows the below error message.
You don't have permission to enable Cloud Scheduler (appengine.applications.create, serviceusage.services.enable)
So I asked the project owner to grant me access to the below roles:
Cloud Scheduler admin
AppEngine Admin
Service Usage Admin
However, even after this I'm still getting the same message as before.
Below are the current roles that I have access to:
App Engine Admin
BigQuery Data Viewer
BigQuery User
Cloud Scheduler Admin
Cloud SQL Admin
Editor
Service Usage Admin
Storage Admin
Kindly let me know if I'm missing something here.
You don't need to be the project Owner.
You need these permission:
appengine.applications.create
serviceusage.services.enable
Predefined roles for first permission:
roles/owner
roles/appengine.appCreator
Predefined roles for second permission:
roles/owner
roles/editor
roles/serviceusage.serviceUsageAdmin
Since you already are an Editor, you only need to request App Engine Creator role for the first permission.
For you to be able to perform the configuration of Cloud Scheduler, you need to be the Project Owner.
Could you please give it a try asking your administrator to make you the Project Owner?
Understanding roles
This should fix your issue and solve your case. In case it doesn't, let me know if you are facing the same error.
Please, let me know if it worked!
If you are using target HTTP Method in your Cloud Scheduler, you can add Auth Header (Add OAuth token) with a particular or spesific service account.
I'm just starting on this, been going through the Microsoft documentation and the lightbulb hasn't come on yet...
How do I add a user to my subscription so they can login? From there I just need to limit them to Azure Media Services.
I've seen instructions on web for clicking a "Users" button from subscription, but I do not see that. I've tried adding a user through the Azure Active Directory as well with no luck...
Any ideas would be helpful.
Thanks!
James
OK, so I figured this out:
1) Add your user to Active Directory (I added guest user)
2) Go to subscriptions and to your IAM panel
3) Ensure that your new user has access to at least Read the subscription.
(When I did this it allowed me to view my Azure resources as other user)
4) From there I created a role in a JSON file and used New-AzureRmRoleDefinition -InputFile to import it. IMPORTANT: Make sure for permissions you have Microsoft.Media/* and Microsoft.Media/mediaservices/*
5) Once I did this I went to my Media Services IAM panel and added the user to my new Azure Media Services role.
6) Presto! It started working.
Thanks to all who responded to this thread!!!
I've tried adding a user through the Azure Active Directory as well
with no luck...
This is exactly what you need. Create a user in Azure Active Directory (at portal.azure.com) and grant them access to your subscription with the custom role to allow only Azure Media Services (I don't think there's a built-in role for that). To do that, follow the links (to create custom role, to create user and to assign user that role). I don't think you can create custom role using portal, so you will need REST API or powershell\CLI\SDK
Links:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-what-is
https://learn.microsoft.com/en-us/azure/active-directory/add-users-azure-active-directory