Removing contract failed: [Error Code: 1056] (RemoveContract) is not authorized: removing contracts requires authorization from specific accounts - onflow-cadence

Using flow-cli, if I run flow accounts remove-contract HelloWorld --network testnet --signer testnet-account I get the above error. I created the contract using the same account but unable to remove it from testnet.
I read something about using auth accounts to remove contracts but couldn’t find any relevant examples showing its usecase. Any suggestions?
Do let me know if I can share any more information.
flow version: 0.41.0
account address: 0xf6827b3c1293b661
I am using this guide as reference to remove contract from testnet. https://developers.flow.com/tools/flow-cli/account-remove-contract

Currently, testnet does not allow the removal of contracts, we have made contract removal temporarily permissioned on Testnet – just like it already is on Mainnet.
you can find more details in this post.
https://forum.onflow.org/t/testnet-is-running-secure-cadence/3213

Related

PERMISSION_DENIED: Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/project...'(or it may not exist)."

ISSUE: i want to use the same documents ai custom-trained processor from several different projects. the approach i have in mind is to make api calls from each of those projects to the a single service account that has the proper AIM roles. i have not been able to successfully set up a service account to access the ai processor we trained
SUMMARY: I have three different projects
DEV
STAGING
DOCUMENT AI PROCESSING
The** DOCUMENT AI PROCESSING** project contains the document AI processor which was custom-trained and the 2 other environments listed above need to access the same endpoint. I cannot find the right way to configure this, at the moment i am getting the following error: PERMISSION_DENIED: Permission 'documentai.processors.processOnline' )
BACKGROUND:
(1) I created a service account
(2) I grant this service account access to project, but did not grant any users access to the service account (item 3 in the screenshot)
(3) service account created successfully
(4) i add (as a principal) the newly created service account to the DEV project and assign it *EXACTLY* the same roles as what it has in the DOCUMENT AI PROCESSING project
(5) the service account has been granted access to the DEV project
What I expect to happen is to be able to use the Document AI processor which is located in DOCUMENT AI PROCCESSING project from the DEV project**.** However, I am still receiving the same error: PERMISSION_DENIED: Permission 'documentai.processors.processOnline' denied on resource '//documentai.googleapis.com/project...'(or it may not exist)."
After many hours, i am stumped and i am grateful to anyone that can provide an explanation of what i am getting wrong
As mentioned in the comment exchange of #Kolban and #bismar eyner esquivel ortuste, the correct permissions needed must be added to the Authorization Scope.
You may refer to this Document AI IAM roles documentation for the full list of roles for the API and refer to Document AI Processor REST API documentation for more information.
Posting the answer as community wiki for the benefit of the community that might encounter this use case in the future.
Feel free to edit this answer for additional information.

Failure to add contact to account on mainnet via the CLI

My team and I have been working on a NFT distribution app utilizing the flow blockchain. We have everything working and are ready for our first event but I am having a very difficult time getting everything setup on mainnet. It is working great on testnet but I am stuck at the first step in moving it over to mainnet, getting my contracts onto our account. Here is what I have done.
Created an account at port.onflow using blocto
Switched my blocto account to non custodian
Generated a new key in the account
Updated my flow.json file on my local system with the keys and settings according to this tutorial https://docs.onflow.org/flow-cli/configuration/#advanced-format-1
Attempted to add my contract to the account using the CLI
When I run this command
flow -n mainnet accounts add-contract NFTController \NFTController.cdc --signer mainnet-account
I get this error
Command Error: [Error Code: 1006] invalid proposal key: public key 0 on account e76dc37433d8ce45 does not have a valid signature: [Error Code: 1009] invalid envelope key: public key 0 on account e76dc37433d8ce45 does not have a valid signature: signature is not valid
You can see this on the chain at
Transaction ID: 1b6186a61095a8dba90e39c1ae862c3fccdf2f7bd2e2300253f64f44f3024931
When I created my account on testnet I used https://testnet-faucet.onflow.org/ and used the private that I used when creating the account to sign all transactions. I did not need to generate additional keys. Everything else in the process was the same and ran w/o issues.
My question is 2 fold.
Is there a way to generate a non-custodian account on flow mainnet w/o already have an existing account such as what I did on https://testnet-faucet.onflow.org/
Is the format https://docs.onflow.org/flow-cli/configuration/#advanced-format-1 correct for CLI v 0.33.0? If not what format should I be using?
Any help would be greatly appreciated.

How to restore permission when I am the admin of the project?

After mistakenly add myself to a wrong role, I am no longer able to access "IAM & admin".
While trying to extract Big Query tables to Google Storage, I received the following error,
bq extract --compression GZIP Dataset.TableName gs://tableName_*.csv.gz
Waiting on bqjob_r4250d44ecf982a22_00000169c666b451_1 ... (23s) Current status: DONE
BigQuery error in extract operation: Error processing job 'Dataset:bqjob_r4250d44ecf982a22_00000169c666b451_1': Access Denied: BigQuery BigQuery: Permission denied while writing data.
I thought I may have a permission issue, therefore I change my role in Google Cloud. I don't remember what role I changed. It may be owner or creator.
After that, I am not able to to access the project in Big Query, as well as "IAM & Admin" page.
bq extract --compression GZIP Dataset.TableName gs://tableName_*.csv.gz
BigQuery error in extract operation: Access Denied: Project projectName: The user myemail#xxx.com does not have bigquery.jobs.create permission in project projectName.
Since I am the admin of this account, there is no other person who has the access. What options do I have to restore the access?
Thank you in advanced.
For this case, please open a case through the billing support form, and for "How can we hep?" select "other." https://support.google.com/cloud/contact/cloud_platform_billing
This way, I can follow up with you in private and get the details necessary to move forward. Please let me know once you submit the case and what your case number is so I can follow up.
Edit: For anyone else viewing this issue, the above method is just for this case and not the correct avenue of support for this problem. If you have a support package and you have this issue, please reach out through normal channels.
Thanks,
Hunter,
GCP Billing

NodeRED bluemix/IBM Cloud starter installation fails with IAM error

The installation of the NodeRED bluemix/IBM Cloud starter application fails with an IAM error message complaining about insufficient rights:
FAILED
Server error, status code: 502, error code: 10001, message: Service broker error: You do not have the required permission to create an instance. You must be assigned the IAM Editor role or higher. Contact the account owner to update your access.
Does anybody know how to fix this issue?
Looks like you don’t have proper IAM access permission. If you are the owner of the account, you can set the required permissions following the steps in this link .If you are not the owner ask the account owner for the permissions.
For best practices, refer this solution tutorial
The issue was actually related to the fact that the bluemix starter application tries to create a lite plan instance of cloudant. In my case, that was not possible because there already was such an instance and you are allowed only one per CF organization.
The solution was to patch the pipeline.yml to create a standard plan instance:
cf create-service cloudantNoSQLDB Standard "${CLOUDANT_NAME}"

Call Microsoft Graph API - App only unauthorized error

I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow: