Authentication/Secret Manager Issue

[Mitchell Kovacs]

Hello, I'm trying to get an alpha environment up and running but I've been running into some issues. I've been trying to follow the docs as closely as possible but it looks to contain outdated information in a few places and it's very possible I've made a mistake along the way.

After deploying and trying to access https://project-id.appspot.com/registrar

```

google.registry.persistence.PersistenceModule setSqlCredential: Failed to get SQL credential from Secret Manager. google.registry.privileges.secretmanager.SecretManagerClient$SecretManagerException: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/project-id/secrets/sql-cred-live-label-nomulus-nomulus/versions/latest' (or it may not exist).

```

or when running create_tld with the admin tool I get a 500 server error. The error reporting shows the following error:

```
 google.registry.keyring.api.KeyringException: Failed to retrieve secret for json-credential-string
[ ... trim ... ]

Caused by: google.registry.privileges.secretmanager.SecretManagerClient$SecretManagerException: com.google.api.gax.rpc.PermissionDeniedException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Permission 'secretmanager.versions.access' denied for resource 'projects/project-id/secrets/keyring-json-credential-string/versions/latest' (or it may not exist). 

```

The authenticated user is an owner to the project.

My nomulus-config-alpha.yaml contains registryTool.clientId, registryTool.clientSecret, and the oAuth.allowedOauthClientIds.

I was unable to use the nomulus tool update_kms_keyring but looking through the git history it looks like that was removed, do I need to do something else instead?

If full stacktraces or other information is needed please let me know.

I'm not sure where I am going wrong, any help would be greatly appreciated.

Thanks,

Mitchell

[Weimin Yu]

Hi,

The command to set up the keyring secrets has changed to 'update_keying_secret'.

You can use this command to create a JSON_CREDENTIAL, which should be a downloaded service account key.

You got the permission denied message because the key is not present.

--
NOTE: This is a public discussion list for the Nomulus domain registry project.
---
You received this message because you are subscribed to the Google Groups "nomulus-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nomulus-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/82c95341-48f4-4f9e-98ac-3943b26537acn%40googlegroups.com.

[Mitchell Kovacs]

Hello,

Thanks for the reply, unfortunately when running the update_keyring_secret command I fail with the same error: " KeyringException: Failed to retrieve secret for json-credential-string"
I'm not sure where I am going wrong with this.

In "core/src/main/java/google/registry/config/files/nomulus-config-alpha.yaml" I have registryTool.clientId and registryTool.clientSecret set to the created Desktop OAuth 2.0 Client ID and secret.

I have also set oAuth.allowedOauthClientIds with the previously mentioned OauthClientId.

I think this part is working as "nomulus -e alpha login" appears to work.

I then run:
./nom_build build -x test

./nom_build appengineDeploy --environment=alpha

./nom_build nomulus

At this point in time I think I should be fine to set the JSON_CREDENTIAL secret so I run:

nomulus -e alpha update_keyring_secret --keyname JSON_CREDENTIAL --input service-account.json

where service-account.json is the App Engine default service account JSON key. This service account has Editor and Owner role.

Do you have any suggestions or ideas?

[CRR Tech]

On Tue, Oct 11, 2022 at 3:15 PM 'Mitchell Kovacs' via nomulus-discuss <nomulus...@googlegroups.com> wrote:

Hello,

Thanks for the reply, unfortunately when running the update_keyring_secret command I fail with the same error: " KeyringException: Failed to retrieve secret for json-credential-string"
I'm not sure where I am going wrong with this.

Could you paste  the stack trace of the KeyringException? We don't have access to your project page. It is unexpected for the update keyring command to try to read the secret.

To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/ff69b38d-ad81-4e49-bf37-f9e07069614an%40googlegroups.com.

[Mitchell Kovacs]

Hi, I did find that odd but I'm unsure of where I am going wrong.

Here I have "nomulus" as an alias to the nomulus.jar I found: `alias nomulus="java -jar /home/nom/nomulus/core/build/libs/nomulus.jar"`

****

nom@ad6c75488bfa:~/nomulus$ nomulus -e alpha update_keyring_secret --keyname JSON_CREDENTIAL --input /tmp/nomulus-364415-c0161c7f9e60.json
Exception in thread "main" com.google.appengine.repackaged.com.google.api.client.http.HttpResponseException: 500 Internal Server Error
GET https://tools-dot-nomulus-364415.appspot.com:443/remote_api

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>500 Server Error</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Server Error</h1>
<h2>The server encountered an error and could not complete your request.<p>Please try again in 30 seconds.</h2>
<h2></h2>
</body></html>

        at com.google.appengine.repackaged.com.google.api.client.http.HttpResponseException$Builder.build(HttpResponseException.java:293)
        at com.google.appengine.repackaged.com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1118)
        at com.google.appengine.tools.remoteapi.OAuthClient.get(OAuthClient.java:79)
        at com.google.appengine.tools.remoteapi.RemoteApiInstaller.getAppIdFromServer(RemoteApiInstaller.java:427)
        at com.google.appengine.tools.remoteapi.RemoteApiInstaller.loginImpl(RemoteApiInstaller.java:389)
        at com.google.appengine.tools.remoteapi.RemoteApiInstaller.login(RemoteApiInstaller.java:348)
        at com.google.appengine.tools.remoteapi.RemoteApiInstaller.install(RemoteApiInstaller.java:184)
        at google.registry.tools.RegistryCli.runCommand(RegistryCli.java:257)
        at google.registry.tools.RegistryCli.run(RegistryCli.java:181)
        at google.registry.tools.RegistryTool.main(RegistryTool.java:129)

****

I then see the following application error with response code 403:

 google.registry.keyring.api.KeyringException: Failed to retrieve secret for json-credential-string

    at google.registry.keyring.kms.KmsKeyring.getDecryptedData(KmsKeyring.java:185)
    at google.registry.keyring.kms.KmsKeyring.getString(KmsKeyring.java:157)
    at google.registry.keyring.kms.KmsKeyring.getJsonCredential(KmsKeyring.java:149)
    at google.registry.keyring.api.KeyModule.provideJsonCredential(KeyModule.java:127)
    at google.registry.keyring.api.KeyModule_ProvideJsonCredentialFactory.provideJsonCredential(KeyModule_ProvideJsonCredentialFactory.java:39)
    at google.registry.keyring.api.KeyModule_ProvideJsonCredentialFactory.get(KeyModule_ProvideJsonCredentialFactory.java:31)
    at google.registry.keyring.api.KeyModule_ProvideJsonCredentialFactory.get(KeyModule_ProvideJsonCredentialFactory.java:11)
    at google.registry.config.CredentialModule_ProvideJsonCredentialFactory.get(CredentialModule_ProvideJsonCredentialFactory.java:42)
    at google.registry.config.CredentialModule_ProvideJsonCredentialFactory.get(CredentialModule_ProvideJsonCredentialFactory.java:13)
    at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
    at google.registry.monitoring.whitebox.StackdriverModule_ProvideMonitoringFactory.get(StackdriverModule_ProvideMonitoringFactory.java:41)
    at google.registry.monitoring.whitebox.StackdriverModule_ProvideMonitoringFactory.get(StackdriverModule_ProvideMonitoringFactory.java:13)
    at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricWriterFactory.get(StackdriverModule_ProvideMetricWriterFactory.java:48)
    at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricWriterFactory.get(StackdriverModule_ProvideMetricWriterFactory.java:14)
    at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricReporterFactory.get(StackdriverModule_ProvideMetricReporterFactory.java:38)
    at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricReporterFactory.get(StackdriverModule_ProvideMetricReporterFactory.java:14)
    at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
    at google.registry.module.ServletBase.init(ServletBase.java:53)
    at javax.servlet.GenericServlet.init(GenericServlet.java:244)
    at org.eclipse.jetty.servlet.ServletHolder$Wrapper.init(ServletHolder.java:1345)
    at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:632)
    at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:415)
    at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
    at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:352)
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
    at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
    at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
    at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
    at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:774)
    at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
    at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
    at com.google.apphosting.runtime.jetty94.AppEngineWebAppContext.startWebapp(AppEngineWebAppContext.java:274)
    at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
    at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:916)
    at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
    at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
    at com.google.apphosting.runtime.jetty94.AppEngineWebAppContext.doStart(AppEngineWebAppContext.java:218)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
    at com.google.apphosting.runtime.jetty94.AppVersionHandlerFactory.doCreateHandler(AppVersionHandlerFactory.java:178)
    at com.google.apphosting.runtime.jetty94.AppVersionHandlerFactory.createHandler(AppVersionHandlerFactory.java:112)
    at com.google.apphosting.runtime.jetty94.AppVersionHandlerMap.getHandler(AppVersionHandlerMap.java:82)
    at com.google.apphosting.runtime.jetty94.JettyServletEngineAdapter.serviceRequest(JettyServletEngineAdapter.java:167)
    at com.google.apphosting.runtime.RequestRunner.dispatchServletRequest(RequestRunner.java:264)
    at com.google.apphosting.runtime.RequestRunner.dispatchRequest(RequestRunner.java:229)
    at com.google.apphosting.runtime.RequestRunner.run(RequestRunner.java:194)
    at com.google.apphosting.runtime.ThreadGroupPool$PoolEntry.run(ThreadGroupPool.java:273)
    at java.lang.Thread.run(Thread.java:748)
Caused by: google.registry.privileges.secretmanager.SecretManagerClient$NoSuchSecretResourceException: com.google.api.gax.rpc.NotFoundException: io.grpc.StatusRuntimeException: NOT_FOUND: Secret [projects/152175054457/secrets/keyring-json-credential-string] not found or has no versions.
    at google.registry.privileges.secretmanager.SecretManagerClientImpl.callSecretManager(SecretManagerClientImpl.java:171)
    at google.registry.privileges.secretmanager.SecretManagerClientImpl.getSecretData(SecretManagerClientImpl.java:119)
    at google.registry.privileges.secretmanager.KeyringSecretStore.getSecret(KeyringSecretStore.java:52)
    at google.registry.keyring.kms.KmsKeyring.getDecryptedData(KmsKeyring.java:183)
    ... 47 more
Caused by: com.google.api.gax.rpc.NotFoundException: io.grpc.StatusRuntimeException: NOT_FOUND: Secret [projects/152175054457/secrets/keyring-json-credential-string] not found or has no versions.
    at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:90)
    at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:41)
    at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:86)
    at com.google.api.gax.grpc.GrpcApiExceptionFactory.create(GrpcApiExceptionFactory.java:66)
    at com.google.api.gax.grpc.GrpcExceptionCallable$ExceptionTransformingFuture.onFailure(GrpcExceptionCallable.java:97)
    at com.google.api.core.ApiFutures$1.onFailure(ApiFutures.java:67)
    at com.google.common.util.concurrent.Futures$CallbackListener.run(Futures.java:1132)
    at com.google.common.util.concurrent.DirectExecutor.execute(DirectExecutor.java:31)
    at com.google.common.util.concurrent.AbstractFuture.executeListener(AbstractFuture.java:1270)
    at com.google.common.util.concurrent.AbstractFuture.complete(AbstractFuture.java:1038)
    at com.google.common.util.concurrent.AbstractFuture.setException(AbstractFuture.java:808)
    at io.grpc.stub.ClientCalls$GrpcFuture.setException(ClientCalls.java:572)
    at io.grpc.stub.ClientCalls$UnaryStreamToFuture.onClose(ClientCalls.java:542)
    at io.grpc.PartialForwardingClientCallListener.onClose(PartialForwardingClientCallListener.java:39)
    at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:23)
    at io.grpc.ForwardingClientCallListener$SimpleForwardingClientCallListener.onClose(ForwardingClientCallListener.java:40)
    at com.google.api.gax.grpc.ChannelPool$ReleasingClientCall$1.onClose(ChannelPool.java:535)
    at io.grpc.PartialForwardingClientCallListener.onClose(PartialForwardingClientCallListener.java:39)
    at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:23)
    at io.grpc.ForwardingClientCallListener$SimpleForwardingClientCallListener.onClose(ForwardingClientCallListener.java:40)
    at io.grpc.census.CensusStatsModule$StatsClientInterceptor$1$1.onClose(CensusStatsModule.java:802)
    at io.grpc.PartialForwardingClientCallListener.onClose(PartialForwardingClientCallListener.java:39)
    at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:23)
    at io.grpc.ForwardingClientCallListener$SimpleForwardingClientCallListener.onClose(ForwardingClientCallListener.java:40)
    at io.grpc.census.CensusTracingModule$TracingClientInterceptor$1$1.onClose(CensusTracingModule.java:428)
    at io.grpc.internal.DelayedClientCall$DelayedListener$3.run(DelayedClientCall.java:468)
    at io.grpc.internal.DelayedClientCall$DelayedListener.delayOrExecute(DelayedClientCall.java:432)
    at io.grpc.internal.DelayedClientCall$DelayedListener.onClose(DelayedClientCall.java:465)
    at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:562)
    at io.grpc.internal.ClientCallImpl.access$300(ClientCallImpl.java:70)
    at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:743)
    at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:722)
    at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37)
    at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    ... 1 more
    Suppressed: com.google.api.gax.rpc.AsyncTaskException: Asynchronous task failed
        at com.google.api.gax.rpc.ApiExceptions.callAndTranslateApiException(ApiExceptions.java:57)
        at com.google.api.gax.rpc.UnaryCallable.call(UnaryCallable.java:112)
        at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.accessSecretVersion(SecretManagerServiceClient.java:1279)
        at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.accessSecretVersion(SecretManagerServiceClient.java:1215)
        at google.registry.privileges.secretmanager.SecretManagerClientImpl.lambda$getSecretData$8(SecretManagerClientImpl.java:122)
        at google.registry.util.Retrier.callWithRetry(Retrier.java:153)
        at google.registry.util.Retrier.callWithRetry(Retrier.java:74)
        at google.registry.privileges.secretmanager.SecretManagerClientImpl.callSecretManager(SecretManagerClientImpl.java:165)
        at google.registry.privileges.secretmanager.SecretManagerClientImpl.getSecretData(SecretManagerClientImpl.java:119)
        at google.registry.privileges.secretmanager.KeyringSecretStore.getSecret(KeyringSecretStore.java:52)
        at google.registry.keyring.kms.KmsKeyring.getDecryptedData(KmsKeyring.java:183)
        at google.registry.keyring.kms.KmsKeyring.getString(KmsKeyring.java:157)
        at google.registry.keyring.kms.KmsKeyring.getJsonCredential(KmsKeyring.java:149)
        at google.registry.keyring.api.KeyModule.provideJsonCredential(KeyModule.java:127)
        at google.registry.keyring.api.KeyModule_ProvideJsonCredentialFactory.provideJsonCredential(KeyModule_ProvideJsonCredentialFactory.java:39)
        at google.registry.keyring.api.KeyModule_ProvideJsonCredentialFactory.get(KeyModule_ProvideJsonCredentialFactory.java:31)
        at google.registry.keyring.api.KeyModule_ProvideJsonCredentialFactory.get(KeyModule_ProvideJsonCredentialFactory.java:11)
        at google.registry.config.CredentialModule_ProvideJsonCredentialFactory.get(CredentialModule_ProvideJsonCredentialFactory.java:42)
        at google.registry.config.CredentialModule_ProvideJsonCredentialFactory.get(CredentialModule_ProvideJsonCredentialFactory.java:13)
        at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
        at google.registry.monitoring.whitebox.StackdriverModule_ProvideMonitoringFactory.get(StackdriverModule_ProvideMonitoringFactory.java:41)
        at google.registry.monitoring.whitebox.StackdriverModule_ProvideMonitoringFactory.get(StackdriverModule_ProvideMonitoringFactory.java:13)
        at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricWriterFactory.get(StackdriverModule_ProvideMetricWriterFactory.java:48)
        at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricWriterFactory.get(StackdriverModule_ProvideMetricWriterFactory.java:14)
        at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricReporterFactory.get(StackdriverModule_ProvideMetricReporterFactory.java:38)
        at google.registry.monitoring.whitebox.StackdriverModule_ProvideMetricReporterFactory.get(StackdriverModule_ProvideMetricReporterFactory.java:14)
        at dagger.internal.DoubleCheck.get(DoubleCheck.java:47)
        at google.registry.module.ServletBase.init(ServletBase.java:53)
        at javax.servlet.GenericServlet.init(GenericServlet.java:244)
        at org.eclipse.jetty.servlet.ServletHolder$Wrapper.init(ServletHolder.java:1345)
        at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:632)
        at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:415)
        at org.eclipse.jetty.servlet.ServletHandler.lambda$initialize$0(ServletHandler.java:750)
        at java.util.stream.SortedOps$SizedRefSortingSink.end(SortedOps.java:352)
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482)
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
        at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
        at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:743)
        at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:580)
        at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:774)
        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:379)
        at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1449)
        at com.google.apphosting.runtime.jetty94.AppEngineWebAppContext.startWebapp(AppEngineWebAppContext.java:274)
        at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1414)
        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:916)
        at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:288)
        at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
        at com.google.apphosting.runtime.jetty94.AppEngineWebAppContext.doStart(AppEngineWebAppContext.java:218)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at com.google.apphosting.runtime.jetty94.AppVersionHandlerFactory.doCreateHandler(AppVersionHandlerFactory.java:178)
        at com.google.apphosting.runtime.jetty94.AppVersionHandlerFactory.createHandler(AppVersionHandlerFactory.java:112)
        at com.google.apphosting.runtime.jetty94.AppVersionHandlerMap.getHandler(AppVersionHandlerMap.java:82)
        at com.google.apphosting.runtime.jetty94.JettyServletEngineAdapter.serviceRequest(JettyServletEngineAdapter.java:167)
        at com.google.apphosting.runtime.RequestRunner.dispatchServletRequest(RequestRunner.java:264)
        at com.google.apphosting.runtime.RequestRunner.dispatchRequest(RequestRunner.java:229)
        at com.google.apphosting.runtime.RequestRunner.run(RequestRunner.java:194)
        at com.google.apphosting.runtime.ThreadGroupPool$PoolEntry.run(ThreadGroupPool.java:273)
        ... 1 more
Caused by: io.grpc.StatusRuntimeException: NOT_FOUND: Secret [projects/152175054457/secrets/keyring-json-credential-string] not found or has no versions.
    at io.grpc.Status.asRuntimeException(Status.java:535)
    ... 25 more 

[CRR Tech]

Thank you for the stack trace. The credential is needed by the command although it should not. We need to fix this. In the meantime, you can get around this by manually creating a secret named 'json-credential-string' in the Cloud secret manager, and initializing it with your key file.

To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/dbf0b7b3-e546-4429-9975-4304bec52898n%40googlegroups.com.

[Mitchell Kovacs]

If I add "json-credential-string" to the secret manager I get the same error with the same stack trace.

I thought it might be "keyring-json-credential-string" but no luck with that either.

For the value in the secret manager I am just uploading the key file I've downloaded as JSON from the service account.

[Weimin Yu]

keyring-json-credential-string is the correct name.

Does the account that your Nomulus app on Appengine runs with  has the permission to access the secret?

By default the app should run with the Appengine Default Service account (proje...@appspot.gserviceaccount.com)

and IIUC, it has the Editor role by default, which cannot read secret values.

To view this discussion on the web visit https://groups.google.com/d/msgid/nomulus-discuss/e5c7a73d-c940-4eb6-a505-853e8fb5200cn%40googlegroups.com.

[Mitchell Kovacs]

I'm using the default App Engine service account. It's set as editor and owner to the project.

The user I login to the nomulus admin tool with is also an editor and owner to the project.

I'm unsure if this is a red herring but when I have "keyring-json-credential-string" in the secret manager I am not seeing errors in the error reporting but the tool continues to fail with the 500 Server Error. I'm not sure where the error would now show up.