Getting accessNotConfigured error from Admin Audit API

[Gwyn Howell]

Has anyone tried out the new Admin Audit API? Have been trying to get it working, but am hitting accessNotConfigured errors from the following URL:

https://www.googleapis.com/apps/reporting/audit/v1/[CUST_ID]/[APP_ID]?key=[API_KEY]&maxResults=10

Where...

 - CUST_ID is the value returned from https://apps-apis.google.com/a/feeds/customer/2.0/customerId

 - APP_ID = 207535951991 according to the documentation

 - API_KEY = my key from a new project in the API Console where I have enabled the Audit API

Here is the full JSON error:

{'status': 403, 'body': '{\n "error": {\n  "errors": [\n   {\n    "domain": "usageLimits",\n    "reason": "accessNotConfigured",\n    "message": "Access Not Configured"\n   }\n  ],\n  "code": 403,\n  "message": "Access Not Configured"\n }\n}\n', 'reason': ''}

Any help gratefully received!

Thanks,
Gwyn

[Michael Manoochehri]

Hi Gwyn:

It looks like you might have to toggle the "Audit API" button from the project where you retrieved your API_KEY.

Also, are you sure you are authenticating properly? 

Thanks,

Michael

[Gwyn Howell]

By toggle the "Audit API" button, I assume you mean enabling the Audit API for the API Console? In which case, I have done that.

Second, I was able to query the API for the Customer ID and am using the same auth header for this request, so assume I am authenticating properly.

I am extending the gdata.apps.service.PropertyService class (python) which I assume takes care of auth much like the other APIs, although I may be incorrect here as this is the first API I have used that requires the API Key.

Here is some sample code:

CONTROL_PANEL_APP_ID = '207535951991'

class AdminAuditService(gdata.apps.service.PropertyService):

    def get_cust_id(self):

        try:

            uri = '/a/feeds/customer/2.0/customerId'

            return self._GetProperties(uri)

        except gdata.service.RequestError, e:

            raise AppsForYourDomainException(e.args[0])

    def retrieve_all(self, api_key, cust_id=None):

        if not cust_id:

            cust_id = self.get_cust_id()

            cust_id = cust_id['customerId']

        try:

            uri = 'https://www.googleapis.com/apps/reporting/audit/v1/%s/%s?key=%s&maxResults=10' % (cust_id, CONTROL_PANEL_APP_ID, api_key)

            return self._GetProperties(uri)

        except gdata.service.RequestError, e:

            raise AppsForYourDomainException(e.args[0])

Thanks,

Gwyn

[Michael Manoochehri]

Well Gwyn,

It's hard to tell what might be happening without seeing your auth code - can you confirm that your OAuth scopes are correct?

Michael

[Gwyn Howell]

OAuth scope is https://www.googleapis.com/auth/apps/reporting/audit.readonly

[Gwyn Howell]

have been using the same oauth code for various other apis for ages so am pretty confident the oauth code is correct

[Chet]

Did you add the scope:
https://www.googleapis.com/auth/apps/reporting/audit.readonly
to your list of oauth scopes?

I'm also working on doing this in Python via the API and get to about
the same place as you - still haven't cracked it though. Using the
API_KEY is a new wrinkle and I'm not sure how using this will be
feasible in production code.

On Jun 8, 3:27 pm, Gwyn Howell <gwyn.how...@appogee.co.uk> wrote:
> By toggle the "Audit API" button, I assume you mean enabling the Audit API
> for the API Console? In which case, I have done that.
>
> Second, I was able to query the API for the Customer ID and am using the
> same auth header for this request, so assume I am authenticating properly.
>
> I am extending the gdata.apps.service.PropertyService class (python) which I
> assume takes care of auth much like the other APIs, although I may be
> incorrect here as this is the first API I have used that requires the API
> Key.
>
> Here is some sample code:
>
> CONTROL_PANEL_APP_ID = '207535951991'
> class AdminAuditService(gdata.apps.service.PropertyService):
>     def get_cust_id(self):
>         try:
>             uri = '/a/feeds/customer/2.0/customerId'
>             return self._GetProperties(uri)
>         except gdata.service.RequestError, e:
>             raise AppsForYourDomainException(e.args[0])
>
>     def retrieve_all(self, api_key, cust_id=None):
>         if not cust_id:
>             cust_id = self.get_cust_id()
>             cust_id = cust_id['customerId']
>         try:
>             uri =

> 'https://www.googleapis.com/apps/reporting/audit/v1/%s/%s?key=%s&maxRe...

[Gwyn Howell]

i have the same concerns regarding the api key, as i am going to have to get my customers to create they're own api keys (and possibly set up billing) which is going to be a pain. regardless, i just need to get it working now and worry about that later.

please update this thread with any breakthroughs!

[Claudio Cherubino]

Gwin,

I managed to retrieve the feeds from the Admin Audit API, so you are probably missing some steps.

First of all, did you create a Client ID in your API console? This step will provide you with Client ID and Client Secret to be used during the authentication process.

I understand you are also trying to use the Google Data APIs Python Client Library for both retrieving the Customer ID (which is provided by a GData API) and sending requests to the new Admin Audit API. 

The latter API is supported by our new Python client library:

http://code.google.com/p/google-api-python-client

Assuming you are able to get your Client ID, Client Secret, Consumer ID and API Key, you can use the following Python code (edited from the Buzz sample) with the new client library to send a request to the Admin Audit API:

#!/usr/bin/python2.4

import httplib2

import sys

from oauth2client.file import Storage

from oauth2client.client import OAuth2WebServerFlow

from oauth2client.tools import run

CLIENT_ID = 'your client id'

CLIENT_SECRET = 'your client secret'

CONSUMER_ID = 'your consumer id'

API_KEY = 'you api key'

# Set up a Flow object to be used if we need to authenticate. This

# sample uses OAuth 2.0, and we set up the OAuth2WebServerFlow with

# the information it needs to authenticate. Note that it is called

# the Web Server Flo w, but it can also handle the flow for native

# applications <http://code.google.com/apis/accounts/docs/OAuth2.html#IA>

# The client_id client_secret are copied from the API Access tab on

# the Google APIs Console <http://code.google.com/apis/console>. When

# creating credentials for this application be sure to choose an Application

# type of "Installed application".

flow = OAuth2WebServerFlow(

  client_id=CLIENT_ID,

  client_secret=CLIENT_SECRET,

  scope='https://www.googleapis.com/auth/apps/reporting/audit.readonly',

  user_agent='audit-cmdline-sample/1.0')

# If the Credentials don't exist or are invalid run through the native client

# flow. The Storage object will ensure that if successful the good

# Credentials will get written back to a file.

storage = Storage('credentials.dat')

credentials = storage.get()

if credentials is None or credentials.invalid:

  credentials = run(flow, storage)

# Create an httplib2.Http object to handle our HTTP requests and authorize it

# with our credentials.

http = httplib2.Http()

http = credentials.authorize(http)

resp, content = http.request('https://www.googleapis.com/apps/reporting/audit/v1/%s/207535951991?key=%s' % (CONSUMER_ID, API_KEY))

print content

Hope it helps

Claudio

On Wed, Jun 8, 2011 at 10:16 PM, Gwyn Howell <gwyn....@appogee.co.uk> wrote:

i have the same concerns regarding the api key, as i am going to have to get my customers to create they're own api keys (and possibly set up billing) which is going to be a pain. regardless, i just need to get it working now and worry about that later.

please update this thread with any breakthroughs!

--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/djlrR0NXYy1pdklK.

To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.

[Gwyn Howell]

Claudio,

Thank you very much for a very helpful response - I have got it working locally, but when I run the same code on App Engine, I get the following error:

OAuth 2.0 error: redirect_uri_mismatch

OAuth2 Request Details

• from_login=1
• response_type=code
• redirect_uri=http://thedevbox-dms.appspot.com/auth_return
• pli=1
• st=R8cqGhzspjDzGKIuthNq
• hl=en-GB
• client_id=287597505983.apps.googleusercontent.com
• scope=https://www.googleapis.com/auth/apps/reporting/audit.readonly

Any ideas?!

Thanks,

Gwyn

[Claudio Cherubino]

Did you add your redirect_uri to the Authorized Redirect URIs section in the Google APIs Console for your application?

Claudio

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/wkh7NHtutqkJ.

[Gwyn Howell]

Yes, I have it working now. You have to create a client ID for Web Applications rather then Installed Applications (sounds obvious now, but you said in your earlier thread it should be Installed Application).

The only problem is that each of my customers will have a different URL (as the app is hosted on separate app engines), so OAuth 2.0 isn't going to work for me unless I use a proxy or something, which kind of defeats the point. The docs mention that the Admin Audit API will work with OAuth V1.0 as well - to you have any advise on getting it to work with OAuth V1.0?

[Claudio Cherubino]

Gwyn,

Installed Application is used for a script running on your machine, like the one we discussed earlier, while you are now trying to deploy your app on App Engine, i.e. a Web Application.

We don't have any tutorials on how to use OAuth 1.0 with this new API, perhaps some of the following references can help you:

http://code.google.com/appengine/articles/python/getting_started_with_tasks_api.html

http://code.google.com/apis/accounts/docs/OAuth.html

http://code.google.com/p/google-api-python-client/wiki/AuthenticationDesignDoc#Two_Legged_OAuth_1.0_(2LO)

http://code.google.com/p/google-api-python-client/wiki/AuthenticationDesignDoc#OAuth_1.0_Discovery

Claudio

On Fri, Jun 24, 2011 at 10:01 AM, Gwyn Howell <gwyn....@appogee.co.uk> wrote:

Yes, I have it working now. You have to create a client ID for Web Applications rather then Installed Applications (sounds obvious now, but you said in your earlier thread it should be Installed Application).

The only problem is that each of my customers will have a different URL (as the app is hosted on separate app engines), so OAuth 2.0 isn't going to work for me unless I use a proxy or something, which kind of defeats the point. The docs mention that the Admin Audit API will work with OAuth V1.0 as well - to you have any advise on getting it to work with OAuth V1.0?

--

You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/GN2_E7jVCwAJ.

[Johan Euphrosine]

Hi Gwyn,

You should be able to use OAuth 2.0 for multiple App Engine application with the same Client Id / Secret, and one redirect_url for each instance.

An alternative is to create one OAuth 2.0 Client Id / Secret pair for each application.

Hope that helps.

[Gwyn Howell]

OK thanks for your help. If I get anywhere I will update this thread with sample code.

Thanks again,

Gwyn

[Gwyn Howell]

Yeah I realise that, but I instruct my customers to create their own app engines, and therefore I would need to get them to request access to the admin audit api so i could create a new redirect url each time, which would then need copying to their app engine. Think I need to explore OAuth v1.0 options ...