Monday, August 7, 2017

Re: [google-cloud-sql-discuss] Google_Service_SQLAdmin notauthorized error - howto fix?

[{"backendType":"SECOND_GEN","connectionName":"examinable-example-123:us-central1:testname","currentDiskSize":null,"databaseVersion":"MYSQL_5_7","etag":"\"7nzH-h2yIa30FGKFRs9YFu88s0g\/eMJSnMyR6xcc7QEYwFKVnUvHMSg\"","instanceType":"CLOUD_SQL_INSTANCE","ipv6Address":null,"kind":"sql#instance","masterInstanceName":null,"maxDiskSize":null,"name":"testname","project":"examinable-example-123","region":"us-central1","replicaNames":null,"selfLink":"https:\/\/www.googleapis.com\/sql\/v1beta4\/projects\/examinable-example-123\/instances\/testname","serviceAccountEmailAddress":"yfifgx6xpvevpmqpil23pv7ila@speckle-umbrella-9.iam.gserviceaccount.com","state":"RUNNABLE","suspensionReason":null}]

The latest (PHP service account) version is as in the sqlinstances.php example
https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp but with the addition of one line to add scopes:  $client->addScope('https://www.googleapis.com/auth/sqlservice.admin'); 

The response 'response_forum.txt' showing 'testname' instance is as attached

In all cases 'examinable-example-123' replaces our project id.




On Mon, Aug 7, 2017 at 9:04 AM, 'David Newgas' via Google Cloud SQL discuss <google-cloud-sql-discuss@googlegroups.com> wrote:
Hi,

The "Manage Roles" is about defining what permissions each role has, not who has which role (e.g. so you could create custom roles). The "IAM" page (https://console.cloud.google.com/iam-admin/iam/project) is the one for giving roles to users. It sounds like you did this correctly for the service account and I'm glad you now don't get an auth error.

Stopped instances should show up with a sql.instances.list call. You can see that by running "gcloud --log-http sql instances list" - it makes the same call as your code and should show the stopped instance. The only way to _prevent_ it from returning the stopped instances is a filter, which I don't see in your example code.

If you have made code changes, can you share the latest version? What is the JSON output printed?

On Sun, Aug 6, 2017 at 11:29 AM, Aseire Heard <blogheard@gmail.com> wrote:
Interesting that the one stopped instance-1 that I expected to see was manually created from the dashboard.  Instances created using the api do list fine.  Apparently treated differently.  Not a big deal as the service account can manage anyway.

On Thu, Aug 3, 2017 at 4:41 PM, Aseire Heard <blogheard@gmail.com> wrote:
Hooray!!!  Error disappears after I  add "Cloud SQL Admin" to original "Compute Instance Admin (V1)" (so now role shows as multiple).  However response gives empty array (I have one stopped instance-1 that I expect to see).  Maybe I have to specify region.


On Thursday, August 3, 2017 at 3:31:38 PM UTC-7, David Newgas wrote:
Have you made sure to replace IDofMyProject with the actual ID of your project? Have you got service account credentials at the path you have in your code? Is that file readable by user executing your PHP code (probably your webserver)? Does the service account you are using have one of the owner, editor, viewer, cloudsql.admin, cloudsql.editor or cloudsql.viewer roles on the project?

On Thu, Aug 3, 2017 at 3:12 PM, Aseire Heard <blog...@gmail.com> wrote:
Getting a notauthorized error when I try to use the sqlinstances.php example from https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp to get a list of my instances.  I added scopes (and authorized using API manager).  What am I doing wrong here please?

php sqlinstances.php

Fatal error: Uncaught exception 'Google_Service_Exception' with message '{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "notAuthorized",
    "message": "The client is not authorized to make this request."
   }
  ],
  "code": 403,
  "message": "The client is not authorized to make this request."
 }
}

and here is the code:

<?php

// https://developers.google.com/api-client-library/php/auth/service-accounts#sqlinstancesphp

// Autoload Composer.
require_once __DIR__ . '/vendor/autoload.php';
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json');

$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope('https://www.googleapis.com/auth/cloud-platform');
$client->addScope('https://www.googleapis.com/auth/compute');
$client->addScope('https://www.googleapis.com/auth/compute.readonly');
$client->addScope('https://www.googleapis.com/auth/sqlservice.admin');

$sqladmin = new Google_Service_SQLAdmin($client);

// Project ID of the project for which to list Cloud SQL instances.
$project = 'IDofMyProject';  // TODO: Update placeholder value.
$optParams = [];
$response = $sqladmin->instances->listInstances($project, $optParams)->getItems();

echo json_encode($response) . "\n";
?>

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/a94ba5aa-fc3f-4dec-b4e2-cdb7baa0eb43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-sql-discuss/nfyg6ymXhLE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/5daad22a-7363-4ef9-935b-0aa2137a01eb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAHR5AAV4%3D18yeYgTLTsNyK5i0nYdUq1%3D9pyaMh6wtsrNn9W9cw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-cloud-sql-discuss/nfyg6ymXhLE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAJZK_baidPwC9-20wrd5dhofdTmEYPt%3DaSnxybuT%2BnB5rm19YQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Google Cloud SQL discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-cloud-sql-discuss+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-cloud-sql-discuss/CAHR5AAWrsOW2DnqyromEknhu%2Bd5MpzNb5xM7TxtfWf67029xyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)