GCP Session Length

[Dominik Kugelmann]

Hi guys,

with the recent launch to the GCP public beta for the session length I am wondering how gam is equipped to reauth the user after the session times out (if at all rn).

Learn more: https://gsuiteupdates.googleblog.com/2019/09/session-length-for-google-cloud-console-login.html

Servus and Goodbye,

Dominik

[Steve Larsen]

I don't this this will apply to the majority of admin use of gam. Only Admins accessing the GCP project which contains the OAuth consent screen details would be impacted. 

But if you happen to be using gcp/cloud shell for your gam VM and using browser based ssh sessions only I'd expect that to be impacted. 

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAPyiHiNj-apMKf0BS-d1CMBEJty47ySXQERmqpinYmU%2BpZf3CQ%40mail.gmail.com.

[Dominik Kugelmann]

Since activating this setting I get the following error:

➜  ~ gam info domain

ERROR: Client OAuth2 File: /home/dominik_kugelmann_tech/.gam/oauth2.txt, Does not exist or has invalid format

Please run


gam oauth delete

gam oauth create

The file exists. 

After re-authing me I got it to work for an hour and now get this error: 

gam info group all    

ERROR: Authentication Token Error - invalid_grant: reauth related error (rapt_required)

ERROR: API access Denied

[Ross Scroggs]

Dominik,

I used the wring email address on my previous email, use this one.

I can talk tomorrow morning starting at 07:30PDT; I'm not available this weekend but will be available next week.

Can you set the session length to unlimited? Once an OAuth token is revoked, all you can do is another gam oauth create.

Doing that once an hour would be a nightmare.

Ross

Hi Ross,

Sorry I can't.  Let me know what time's work for you over the next few days (including weekend).

Servus and Goodbye,

Dominik

On Thu, 17 Oct 2019 at 3:13 pm, Ross Scroggs <rscr...@pacbell.net> wrote:

Dominik,

I'm in California (PDT, it's now 6:13AM), can we connect via Goolge Hangout or Meet at 07:30?

Ross
--
rscr...@pacbell.net

--

Servus and Goodbye,

Dominik

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAPyiHiNj-apMKf0BS-d1CMBEJty47ySXQERmqpinYmU%2BpZf3CQ%40mail.gmail.com.

--

Ross Scroggs

ross.s...@gmail.com

[Jay Lee]

At this point if you are turning session length on it will be necessary to do the "gam oauth revoke" and "gam oauth create" each time your session expires. There's the potential for GAM to detect the re-auth request and push the user through browser authentication (password and/or security key as required) but that will depend on work being done to the lower level libraries GAM is utilizing.

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS8ewkCKAPOWoDmQdWTwJ9QYYHC3ao_BBSuUfV4e54qPvg%40mail.gmail.com.

[Dominik Kugelmann]

At the moment I can turn off / extend the session length but there might be other users who might need to enable this in the future and that would be painful.  So thanks for taking a look, I guess?! 😬

Servus and Goodbye,

Dominik

You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/S25ljw4FCDg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp8QT9H6ZMGS-70NQ3fob5RkBvUgx5BZV9gBNBB8RJJ47A%40mail.gmail.com.

[Jay Lee]

Dominik,

  Can you try:

gam oauth revoke    # (or just delete oauth2.txt if it's throwing rapt errors)

gam oauth create

<Enter "22" to unselect "Cloud Storage (Vault Export - read only)">

continue authentication process, run a few commands to make sure they work then wait whatever session length you have configured in the beta and after that see if it's still working.

I suspect we're only getting the re-auth request right now because GAM does include one Google Cloud Storage scope by default. Assuming you aren't downloading Vault exports you won't need that.

It's worth noting that Session Length is in beta, not meant for general release right now but hopefully this will solve your immediate issue.

Jay

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAPyiHiMDGfF3Be6rRf9PKsnBYvaM4eXCxOPM4KtnAw-H8T1Fhg%40mail.gmail.com.

[Dominik Kugelmann]

Removing the scopes for Cloud Storage and Pub/Sub fixed the issue.  But that doesn't sound like a long-term solution for future development.  I'd love to keep those scopes for future use if possible while not having the issue of revoking and creating the file regularly.  

And the fact that it is in beta is why we test it internally on our demo domains to catch issues like this for aur clients ;) 

Servus and Goodbye,

Dominik

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp-O8jzbprOkFDBiSg6ZtGfe5%3D3NsXAMRSaHHQn7Qinv-Q%40mail.gmail.com.