message: '{"ResourceType":"storage.v1.bucket","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"The
bucket you tried to create requires domain ownership verification.","reason":"forbidden"}],"message":"The
bucket you tried to create requires domain ownership verification.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b","httpMethod":"POST","suggestion":"Consider
granting permissions to 1058303916595#cloudservices.gserviceaccount.com"}}'
Above is the message when I tried to create storagebuckets via Deployment Manager. I already tried adding 1058303916595#cloudservices.gserviceaccount.com to the Verified owners of that domain on the Google Search Console but still no luck
To create a Storage Bucket with domain name, your account should be a verified owner of the domain, not the cloudservices.gserviceaccount.com. Additional information can be found in Domain-Named Bucket Verification documentation.
You have to login to your domain name provider with the same account that you use to login to the Google Cloud Console. Then request a new domain name, go to Google Cloud Console App Engine page. Go to Settings and then click on Custom domains and then Add a custom domain. After adding the domain name there and verifying it, you will be able to create a bucket name using that domain as name. But make sure to do so with the same account that the domain was verified with.
Related
I am facing an issue with the client name displayed in Google Admin > Security > API controls > Domain-wide Delegation.
Let's say I have created a service account on Google Cloud Platform:
When I authorize a scope for that service account on Google Admin side (different workspace), the name displayed doesn't match anything I have typed:
For the record, this M Connector descriptor was used before for another service account in the same Google Project (or another project of same Google Workspace, don't remember exactly), but clearly today I don't have any service account matching this in my Google Project.
Is there a way to control the name displayed in Google Admin Domain-wide Delegation list ?
The API Client Name that is displayed in your Domain-wide delegation is actually the name of your App in your Oauth Consent Screen.
my service account:
my domain-wide delegation:
I am setting up an Amazon Workspace instance, and need to provide the user with a password to log in. The invite email only contains the registration code.
How do I set up a user password to enable the user to login into Amazon workspace only (no console access)?
I am creating an AmazonWorkspace from a custom bundle, and adding a user to Simple AD.
Individual workspaces created in Amazon WorkSpaces are assigned to, and used by, individuals who are defined in a Directory.
From Manage Directories for Amazon WorkSpaces:
Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users. You can use one of the following options:
AD Connector — Use your existing on-premises Microsoft Active Directory. Users can sign into their WorkSpaces using their on-premises credentials and access on-premises resources from their WorkSpaces.
Microsoft AD — Create a Microsoft Active Directory hosted on AWS.
Simple AD — Create a directory that is compatible with Microsoft Active Directory, powered by Samba 4, and hosted on AWS.
Cross trust — Create a trust relationship between your Microsoft AD directory and your on-premises domain.
If you have your own Active Directory, then use it. If you do not have Active Directory, the simplest option is to choose Simple AD, which is a Active Directory-compatible Samba service. (Charges apply)
The user is selected when the WorkSpace is created. Amazon WorkSpaces will send a registration code to the end user. The end user then uses an Amazon WorkSpaces client to connect with the service. They provide the Registration Code to configure the client (once only), then login with their AD credentials.
To set the user password for AmazonWorkspace, set user password on the WorkMail application for that user. Directory service manages users for both AmazonWorkspaces and WorkMail, and the password is shared across.
The user must exist, but can be disabled. Email address can be anything, in my case users do not use AWS email.
Users defined in IAM are not visible from AmazonWorkspaces and WorkMail. If a user has console, S3, ec2, etc.. access in addition to Workspace, they would need to be defined separately in IAM and Directory.
I've done an extensive research but I can't find a solution.
How can I enable Service Account Authentication for a project that is linked with Google's private owned Bucket for Double Click Manager data? (more info on the current setup of this project here https://support.google.com/dcm/partner/answer/2941575?hl=en&ref_topic=6107456&rd=1).
Separate user authentication works with gsutil(navigating to browser->get token->paste back in your cmd->issue commands) but when it comes to configuring a service account I keep getting
AccessDeniedException: 403 Forbidden
What am I missing? Since the Google documentation says that this specific bucket can't be listed under Cloud Storage for that project, then the project and the service account should be linked to that bucket by default so I can't see the issue here.
During set-up you should have created a Google Group to control access to your bucket. You should add the service account email address to that group, and it will then be able to access the bucket.
I cannot figure out why I'm experiencing issues with buckets setup to serve content under custom domain. I have few that work just fine, few others that have been working before and do not now, and few I'm struggling to setup from scratch and cannot make them to work.
Here's what I do:
I setup an app on Google App Engine.
I setup a bucket named gcs.domain.com which prompts me to verify domain first with Google
Webmasters Tools and domain TXT record - after that I'm able to
create a bucket.
I setup CNAME to be able to access bucket under my
custom domain.
I add Service Account Name as an owner of the bucket, so my app can write and read from it.
When I run my app I get PHP Fatal error Invalid Google Cloud Storage path: gs://gcs.domain.com CloudStorageStreamWrapper.php on line 327
I cannot pin point why. This scenario works on some of the domains and apps and does not on others. I can setup a bucket with a regular name that works just fine. The problem seems to be only with custom domain buckets.
We are transferring Google cloud storage bucket name (naked domain name) from one user to another. Since we no longer have active account, who own the bucket name, the bucket was deleted from Google cloud storage. And then recreate the same bucket name, but the console panel continue deny to create the bucket with the following error.
The bucket you tried to create is a domain name owned by another user.
It has been several days, the bucket was deleted.
In order to create a bucket that maps to a domain name, the account creating the bucket must be the registered owner of the domain name. Presumably the old account is registered as the owner of the domain. You're going to want to have the new account go through the domain verification process at Google Webmaster Tools: https://www.google.com/webmasters/tools/
Here's some more documentation about how to claim ownership of the domain name: https://support.google.com/webmasters/answer/35179