Unable to view API Connect Cloud Foundry page - ibm-cloud

I have been given access to the an IBM Public Cloud (Dallas) 'Organization' and an API Connect Cloud Foundry resource (say, apic-dev). However, when I access the apic-dev resource from the 'Resource List', I see a blank page. I've tried all browsers - chrome, firefox and safari. I am able to access all other resource types. This occurs only with 'API Connect' offering resource type. I have also confirmed that I've been given all user access needed by the administrator.
To verify if this is an access issue, I tried creating my own API Connect Cloud Foundry resource in my own IBM Cloud Organization, and got the exact same blank page behavior.
Please help. Thanks!

You need to open a private window in your browser or delete all the cookies.
I had the same problem and I always open the API Manager in a private window.

Related

IBM Cloud API Connect Secure Gateway

Recently, I started seeing an issue when trying to setup secure gateway within API Connect on IBM Cloud, I previously had it working but looks like they changed this wizard interface and its broken since then
here is what I did to recreate the issue:
Setup new APIC instance on IBM Cloud
API connect Manager UI > Admin > Secure Gateways > Add (name & save)
once created, in Secure Gateway Clients section, click on +Set Up
I see no ID or Token generated
no matter what type of client I choose (DataPower, Docker or Installer)
Anyone facing the same issue?
Empty ID and Token when trying to setup Secure Gateway Client
turned out that creating SecureGateway from within the APIC is deprecated feature anyway.
you will need to create standalone SecureGateway resource on Bluemix and call it from your API assembly.
here is the instructions
https://www.ibm.com/support/knowledgecenter/en/SSFS6T/com.ibm.apic.apionprem.doc/task_api_secure_gateway.html

Cannot give Google CDN service account to Bucket

I am trying to give the Google CDN service account access to my bucket as said here: https://cloud.google.com/cdn/docs/using-signed-urls
gsutil iam ch serviceAccount:service-{PROJECT_NUMBER}#cloud-cdn-fill.iam.gserviceaccount.com:objectViewer gs://{BUCKET}
But the response is:
BadRequestException: 400 Invalid argument
Adding it via the cloud console is also impossible, it says "Email addresses and domains must be associated with an active Google Account or Google Apps account."
Am I missing something or is this a bug?
The Cloud CDN cache fill service account is created when you enable signed URLs. The error message suggests there's a problem with the project number or you haven't yet enabled signed URLs for that project. You can enable signed URLs by following the instructions at https://cloud.google.com/cdn/docs/using-signed-urls#creatingkeys. Make sure you enable signed URLs for a backend service or backend bucket in the same project you specify in the gsutil command.

Google Cloud Storage 500 Internal Server Error 'Google::Cloud::Storage::SignedUrlUnavailable'

Trying to get Google Cloud Storage working on my app. I successfully saved an image to a bucket, but when trying to retrieve the image, I receive this error:
GCS Storage (615.3ms) Generated URL for file at key: 9A95rZATRKNpGbMNDbu7RqJx ()
Completed 500 Internal Server Error in 618ms (ActiveRecord: 0.2ms)
Google::Cloud::Storage::SignedUrlUnavailable (Google::Cloud::Storage::SignedUrlUnavailable):
Any idea of what's going on? I can't find an explanation for this error in their documentation.
To provide some explanation here...
Google App Engine (as well as Google Compute Engine, Kubernetes Engine, and Cloud Run) provides "ambient" credentials associated with the VM or instance being run, but only in the form of OAuth tokens. For most API calls, this is sufficient and convenient.
However, there are a small number of exceptions, and Google Cloud Storage is one of them. Recent Storage clients (including the google-cloud-storage gem) may require a full service account key to support certain calls that involve signed URLs. This full key is not provided automatically by App Engine (or other hosting environments). You need to provide one yourself. So as a previous answer indicated, if you're using Cloud Storage, you may not be able to depend on the "ambient" credentials. Instead, you should create a service account, download a service account key, and make it available to your app (for example, via the ActiveStorage configs, or by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable).
I was able to figure this out. I had been following Rail's guide on Active Storage with Google Storage Cloud, and was unclear on how to generate my credentials file.
google:
service: GCS
credentials: <%= Rails.root.join("path/to/keyfile.json") %>
project: ""
bucket: ""
Initially, I thought I didn't need a keyfile due to this sentence in Google's Cloud Storage authentication documentation:
If you're running your application on Google App Engine or Google
Compute Engine, the environment already provides a service account's
authentication information, so no further setup is required.
(I am using Google App Engine)
So I commented out the credentials line and started testing. Strangely, I was able to write to Google Cloud Storage without issue. However, when retrieving the image I would receive the 500 server error Google::Cloud::Storage::SignedUrlUnavailable.
I fixed this by generating my private key and adding it to my rails app.
Another possible solution as of google-cloud-storage gem version 1.27 in August 2020 is documented here. My Google::Auth.get_application_default as in the documentation returned an empty object, but using Google::Cloud::Storage::Credentials.default.client instead worked.
If you get Google::Apis::ClientError: badRequest: Request contains an invalid argument response when signing check that you have dash in the project name in the signing URL (i.e projects/-/serviceAccounts explicit project name in the path is deprecated and no longer valid) and that you have "issuer" string correct, as the full email address identifier of the service account not just the service account name.
If you get Google::Apis::ClientError: forbidden: The caller does not have permission verify the roles your Service Account have:
gcloud projects get-iam-policy <project-name>
--filter="bindings.members:<sa_name>"
--flatten="bindings[].members" --format='table(bindings.role)'
=> ROLE
roles/iam.serviceAccountTokenCreator
roles/storage.admin
serviceAccountTokenCreator is required to call the signBlob service, and you need storage.admin to have ownership of the thing you need to sign. I think these are project global rights, I couldn't get it to work with more fine grained permissions unfortunately (i.e one app is admin for a certain Storage bucket)

API Management service in Bluemix can't be bound to CF application

I'm building a CloudFoundry application in Bluemix using the API Management service. For this I'm following this tutorial http://www.ibm.com/developerworks/cloud/library/cl-bluemix-api-mgmt-app/index.html.
I can successfully create an API Plan for a custom REST API application (running on a Liberty server on Bluemix as well) and it is published.
I can also create a service in my Bluemix dashboard using the new Custom API, which I take as the API plan was successfully deployed on Bluemix.
Whenever I try to bind this new service I get the following message:
BXNUI2055E: Unable to connect to Cloud Foundry because of the
following exception: "Read timed out." If the problem persists, see
the Troubleshooting topics in the IBM Bluemix Documentation to check
service status, review troubleshooting information, or for information
about getting help.
From time to time I also get this message
The service broker returned an invalid response for the request to
https://apimasv1-stage.stage1.mybluemix.net/d118dceb-edbf-4a7f-9bab-d44371b0c9f9/privateservices/v2/service_instances/1a60830c-0796-4105-afb4-e3477424acf9/service_bindings/ebb853dc-ec88-4987-b8f2-e9acd38d1741.
Status Code: 502 Bad Gateway, Body: 502 Bad Gateway: Registered
endpoint failed to handle the request.
Also, I can open the API portal and see the services listed in there. However, whenever I try to test the service, I get the following error
A security error has occurred. If using a self-signed certificate on
your gateway, you will need to accept it in your browser, which you
can do by clicking the following link.
https://api.wawona.apim.ibmcloud.com/victorshmx1ibmcom-dev/sb/LibraryREST/rs/authors/1
Also, below in the response I get this message:
NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to
load
'https://api.wawona.apim.ibmcloud.com/victorshmx1ibmcom-dev/sb/LibraryREST/rs/authors/1'.
I must clarify this service (the liberty app) doesn't have any security constraint to access the REST service nor I added some kind of security in the API Management portal.
Another thing to clarify is that I can bind other services, but not this one.
Does anyone know how I can fix those problems? Is there a known issue with IBM API Management service?
this seems to be an error with the service API Management instance you are trying to bind to.
You could open a ticket to support team following the link you can find here:
https://developer.ibm.com/bluemix/support/
Click on 'Contact IBM' and open a 'Support ticket'

Service Account Authentication fails with gsutil for DCM CS bucket(Google-owned API Console Project)

I've done an extensive research but I can't find a solution.
How can I enable Service Account Authentication for a project that is linked with Google's private owned Bucket for Double Click Manager data? (more info on the current setup of this project here https://support.google.com/dcm/partner/answer/2941575?hl=en&ref_topic=6107456&rd=1).
Separate user authentication works with gsutil(navigating to browser->get token->paste back in your cmd->issue commands) but when it comes to configuring a service account I keep getting
AccessDeniedException: 403 Forbidden
What am I missing? Since the Google documentation says that this specific bucket can't be listed under Cloud Storage for that project, then the project and the service account should be linked to that bucket by default so I can't see the issue here.
During set-up you should have created a Google Group to control access to your bucket. You should add the service account email address to that group, and it will then be able to access the bucket.