Google_Service_SQLAdmin notauthorized error - howto fix?
瀏覽次數:165 次
跳到第一則未讀訊息
Aseire Heard
2017年8月3日 下午6:16:112017/8/3
收件者:Google Cloud SQL discuss
Getting a notauthorized error when I try to use the sqlinstances.php example from https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp to get a list of my instances. I added scopes (and authorized using API manager). What am I doing wrong here please?
php sqlinstances.php
Fatal error: Uncaught exception 'Google_Service_Exception' with message '{
"error": {
"errors": [
{
"domain": "global",
"reason": "notAuthorized",
"message": "The client is not authorized to make this request."
}
],
"code": 403,
"message": "The client is not authorized to make this request."
}
}
and here is the code:
<?php
// https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp
// Autoload Composer.
require_once __DIR__ . '/vendor/autoload.php';
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json');
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope('https://www.googleapis.com/auth/cloud-platform');
$client->addScope('https://www.googleapis.com/auth/compute');
$client->addScope('https://www.googleapis.com/auth/compute.readonly');
$client->addScope('https://www.googleapis.com/auth/sqlservice.admin');
$sqladmin = new Google_Service_SQLAdmin($client);
// Project ID of the project for which to list Cloud SQL instances.
$project = 'IDofMyProject'; // TODO: Update placeholder value.
$optParams = [];
$response = $sqladmin->instances->listInstances($project, $optParams)->getItems();
echo json_encode($response) . "\n";
?>
php sqlinstances.php
Fatal error: Uncaught exception 'Google_Service_Exception' with message '{
"error": {
"errors": [
{
"domain": "global",
"reason": "notAuthorized",
"message": "The client is not authorized to make this request."
}
],
"code": 403,
"message": "The client is not authorized to make this request."
}
}
and here is the code:
<?php
// https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp
// Autoload Composer.
require_once __DIR__ . '/vendor/autoload.php';
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json');
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope('https://www.googleapis.com/auth/cloud-platform');
$client->addScope('https://www.googleapis.com/auth/compute');
$client->addScope('https://www.googleapis.com/auth/compute.readonly');
$client->addScope('https://www.googleapis.com/auth/sqlservice.admin');
$sqladmin = new Google_Service_SQLAdmin($client);
// Project ID of the project for which to list Cloud SQL instances.
$project = 'IDofMyProject'; // TODO: Update placeholder value.
$optParams = [];
$response = $sqladmin->instances->listInstances($project, $optParams)->getItems();
echo json_encode($response) . "\n";
?>
David Newgas
2017年8月3日 下午6:31:382017/8/3
收件者:Google Cloud SQL discuss
Have you made sure to replace IDofMyProject with the actual ID of your project? Have you got service account credentials at the path you have in your code? Is that file readable by user executing your PHP code (probably your webserver)? Does the service account you are using have one of the owner, editor, viewer, cloudsql.admin, cloudsql.editor or cloudsql.viewer roles on the project?
--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/a94ba5aa-fc3f-4dec-b4e2-cdb7baa0eb43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Aseire Heard
2017年8月3日 晚上7:54:222017/8/3
收件者:Google Cloud SQL discuss
Hooray!!! Error disappears after I add "Cloud SQL Admin" to original "Compute Instance Admin (V1)" (so now role shows as multiple). However response gives empty array (I have one stopped instance-1 that I expect to see). Maybe I have to specify region.
On Thursday, August 3, 2017 at 3:31:38 PM UTC-7, David Newgas wrote:
Aseire Heard
2017年8月3日 晚上7:54:222017/8/3
收件者:Google Cloud SQL discuss
Have you made sure to replace IDofMyProject
with the actual ID of your project? - Yes - verified by using actual ID ok with glcoud
Have you got service account credentials at the path you have in your code? - Yes - verified by doing a separate https://www.googleapis.com/auth/books
Is that file readable by user executing your PHP code (probably your webserver)? Yes - verified by changing and get a new 'Could not load the default credentials'
Does the service account you are using have one of the owner, editor, viewer, cloudsql.admin, cloudsql.editor or cloudsql.viewer roles on the project? Not sure how do I check?
Have you got service account credentials at the path you have in your code? - Yes - verified by doing a separate https://www.googleapis.com/auth/books
Is that file readable by user executing your PHP code (probably your webserver)? Yes - verified by changing and get a new 'Could not load the default credentials'
Does the service account you are using have one of the owner, editor, viewer, cloudsql.admin, cloudsql.editor or cloudsql.viewer roles on the project? Not sure how do I check?
Appreciate the help
On Thursday, August 3, 2017 at 3:31:38 PM UTC-7, David Newgas wrote:
Aseire Heard
2017年8月7日 上午9:04:252017/8/7
收件者:google-cloud...@googlegroups.com
Interesting that the one stopped instance-1 that I expected to see was manually created from the dashboard. Instances created using the api do list fine. Apparently treated differently. Not a big deal as the service account can manage anyway.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/a94ba5aa-fc3f-4dec-b4e2-cdb7baa0eb43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/5daad22a-7363-4ef9-935b-0aa2137a01eb%40googlegroups.com.--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-sql-discuss/nfyg6ymXhLE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.
David Newgas
2017年8月7日 中午12:04:322017/8/7
收件者:Google Cloud SQL discuss
Hi,
The "Manage Roles" is about defining what permissions each role has, not who has which role (e.g. so you could create custom roles). The "IAM" page (https://console.cloud.google.com/iam-admin/iam/project) is the one for giving roles to users. It sounds like you did this correctly for the service account and I'm glad you now don't get an auth error.
Stopped instances should show up with a sql.instances.list call. You can see that by running "gcloud --log-http sql instances list" - it makes the same call as your code and should show the stopped instance. The only way to _prevent_ it from returning the stopped instances is a filter, which I don't see in your example code.
If you have made code changes, can you share the latest version? What is the JSON output printed?
To unsubscribe from this group and all its topics, send an email to google-cloud-sql-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/5daad22a-7363-4ef9-935b-0aa2137a01eb%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAHR5AAV4%3D18yeYgTLTsNyK5i0nYdUq1%3D9pyaMh6wtsrNn9W9cw%40mail.gmail.com.
Aseire Heard
2017年8月7日 下午1:36:032017/8/7
收件者:google-cloud...@googlegroups.com
The latest (PHP service account) version is as in the sqlinstances.php example
https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp but with the addition of one line to add scopes: $client->addScope('https://www.googleapis.com/auth/sqlservice.admin');
The response 'response_forum.txt' showing 'testname' instance is as attached
In all cases 'examinable-example-123' replaces our project id.
https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp but with the addition of one line to add scopes: $client->addScope('https://www.googleapis.com/auth/sqlservice.admin');
The response 'response_forum.txt' showing 'testname' instance is as attached
In all cases 'examinable-example-123' replaces our project id.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAHR5AAV4%3D18yeYgTLTsNyK5i0nYdUq1%3D9pyaMh6wtsrNn9W9cw%40mail.gmail.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-sql-discuss/nfyg6ymXhLE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-sql-discuss+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAJZK_baidPwC9-20wrd5dhofdTmEYPt%3DaSnxybuT%2BnB5rm19YQ%40mail.gmail.com.
回覆所有人
回覆作者
轉寄
0 則新訊息