I've trained an image classification model using autoML API and now I would like to create a JAVA program that makes predictions of given images using that model. As mentioned in the docs, this API requires the OAuth scope: https://www.googleapis.com/auth/cloud-platform.
I don't need the user to login since I will not use any private data, so I decided to use service accounts and followed the steps in OAuth2 for service accounts to generate an access token.
The process goes well and I receive the reponse:
{"access_token": "access_token_string", "expires_in": 3600, "token_type": "Bearer"}
Then, I go back to send the post request for autoML prediction, and set the header "Authorization" to "Bearer access_token_string".
I have the error message
{"error":
{
"code": 403,
"message": "The caller does not have permission",
"status": "PERMISSION_DENIED"
}
}
I know that the prediction request is correct because I've tried it using an accessToken generated for web apps (just wanted to test).
So the problem is in the authorization part, I've checked that my service account have all the required permissions as well. I d'ont know where the problem is exactly, does anyone have an idea?
So since there are no answers, I contacted the Google Support Service, they told me that the below requests are correct, the problem is in allowing the service account to access my GCP project resources. This step is explained here
I've already went through this step but I should have missed something the first time, so I deleted the service account and restarted all the steps, it's working now!
I hope this will help someone :)
Related
First of all - sorry for my english, not my primary language.
We are trying to send some Pixel events from server (not from user browser), so we have an instructions from facebook: https://developers.facebook.com/docs/marketing-api/server-side-api
But stuck on step "Create Access Token", this section (Server-Side API for Web) is missing in Pixel's settings.
Also when we trying to make request to graph api to send some events we getting this error:
{
"error": {
"message": "(#3) This pixel is not enabled for this capability: SERVER_SIDE_EVENTS_CORE_FUNCTIONALITY",
"type": "OAuthException",
"code": 3,
"fbtrace_id": "AEWB5WGs0g_e21p2Qd1kZsX"
}
}
Is anyone managed to resolve this issue?
Mindesik,
At least before you had to be whitelisted (approved by FB) to be able to use server-side API from FB. It's usually not explicitly mentioned on the FB dev portal. If you have an FB representative for your business, try to ask them. Looking at the docs it looks quite promising, so the things might have changed.
Still, in case you've followed all the steps correctly and still getting this error this is most probably whitelisting issue that is implicitly required. The problem here is that to make FB aware of users associated with the events you send you have to send Personally identifiable information (PII) which would be a subject of strict compliance according to local laws in the EU and the US.
Here is what is says to me about debugging S2S events:
I'm using WSO2 1.10 and trying to integrate with Store REST API. The REST API is on v0.9. Until now, I could create an application and subscribe to an API. My problema is when I need to change the tier os this subscription. Following the recommended process, the subscription must be deleted and created again. Using the store page, works as expected, but using the API I got the following error:
{
"moreInfo": "",
"code": 403,
"error": [],
"description": "You don't have permission to access the subscription with Id {{UUID}}",
"message": "Forbidden"
}
The error happen when I use GET or DELETE methods to requests to:
{{BASE_URL}}/api/am/store/v0.9/subscriptions/{{UUID}}
It's important to say that others features like the creation of applications and subscriptions works as well, so I belevie that this behavior is a bug. There is some work around or configuration that can fix this?
I realized the problem. Using DELETE works as expected, the real problem is on GET /applications, that returns subscriptions from others tenant's, randomly. So when I try DELETE, I receive 403 because the subscription is ownered by another tenant.
There is no workaround that I could use, it was necessary think another business solution.
I try to read data from google sheet via http. I use v4 google spreadsheet api:
https://sheets.googleapis.com/v4/spreadsheets/1MZJEOzkzy5iJ9HPy2GU-Ky3vdaIzGGDQH8BMt4n3OGI/values/Sheet1!A1:D5
I get:
{
"error": {
"code": 403,
"message": "The request cannot be identified with a client project. Please pass a valid API key with the request.",
"status": "PERMISSION_DENIED"
}
}
Sheet is published online and everyone can edit it. It works on api v3 too.
First, make sure you have a permission to call this spreadsheet and you enable the Sheets API in your developer console. You can also try to change the privacy settings of this spreadsheet to public and checked if you can access it now. This 403 error is usually caused by incorrect or missed some configuration in Authorizing Requests. If you authorizing requests with OAuth 2.0, make sure you use the proper scope with it.
For more information, you can check this thread on how to debug your Google OAuth 2.0 token when you get HTTP 401s or 403s
You have to append the string "key=yourAPIkey" as query on your URI. The API key is generated in the developer's console
If you update application access scope you have to re-authenticate the application and update credentials.json.
In google-sheet quick start guide, they have started the tutorial with only read scope. If you want to write or update google-sheet later you will have to change the scope there and update the credentials.json again
Look carefully when you first authenticate it only giving permission to read. But if update scope and try to re-authenticate it will ask for permission to read and manage sheet permission.
In order to update the scopes, you need to remove the token file saved in TOKENS_DIRECTORY_PATH, execute the code again and log in. Then Oauth2 will give you the new updated tokens.
I want to create a command line tool to download and upload files to my Google Drive. I do not want to use any language that Google already provides api calls (Java, php, javascript, C#, etc..).
I will use Haskell but that is not relevant with the question.
What I want to do now is form a POST request to upload a file. My request now is something like this:
POST /upload/drive/v2/files?uploadType=media HTTP/1.1
Host: www.googleapis.com
Content-Type: */*
Content-Length: 5
Authorization: Bearer AIzaSy......jH683-FRO9GI
Cache-Control: no-cache
test1
and I get this response:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
Next to Authorization: I put the API Key I created from Google Developer's console.
I figured I have to do more than one requests to make this work. First I have to get an auth code, then use that code to get an auth token and then use that token to my post request.
How can I make that happen? Can someone give me a short example?
There are several possible issues:
#1
You shouldn't be sending the API key with your requests.
#2
Your key might have expired. They only last for 60 minutes.
#3
Your access might have been revoked. (But in your case, if you are able to get an access token, then this is not the case)
#4
You did not include an access token in your request.
I think your problem is a result of #1 or #4, but I listed the other possibilities for reference.
Edit #1:
To address the comment, I will explain the process Google uses to authenticate requests. This question addresses some of the process but I am going to rewrite some of it in the context of this question. (The linked question was asked by me and then later answered by me)
There are two main items you need to make a request to a Google API:
refresh_token - Used to get more access_tokens and never expires
access_token - Used to send API calls (example: upload a file) and expires every 60 minutes.
In order to get either of these you have to follow certain steps.
Obtain a OAuth 2.0 client ID through the Google Developers Console
Obtain an access token from the Google Authorization Server
Send the access token to an API
Refresh the access token, if necessary
More specific information about this "general" process can be found here.
The tricky step is getting the refresh token because once you have that stored in a secure location, you can do anything with simple httpRequests.
To get a refresh token, a user has to agree to give your project access to certain features. This is called scopes in Google language. You can do this in many different ways (according to Google):
There are several ways to make this request, and they vary based on
the type of application you are building. For example, a JavaScript
application might request an access token using a browser redirect to
Google, while an application installed on a device that has no browser
uses web service requests.
The one thing they don't tell you is that, in your case, it doesn't matter what medium you use to get the refresh_token because you are only using one account. The Google Drive API isn't really designed to be used like a server. It is designed to be used by a developer that wants to store information on each of its user's accounts. Like if you had a picture app, you could have a feature that stores edited picture on someone's personal Google Drive account.
What you (and many others who have recently asked about) want to do is essentially use a Drive account as a server. That means that the medium through which you get your refresh_token does not have to be related to the medium in which you are using the Drive Account.
For example in my specific case, I wanted a way to store user pictures on a server for free for an android app. I am using this free service called Parse to act as my database server, but they give you very limited file storage in their free tier.
Because of this, I decided to try and figure out how to use Google drive accounts to expand my storage. I created a generic gmail account something like "hostingaccount#gmail.com" to be the host of the files (15g for free).
To get my refresh_token, I setup a php server to authenticate that one account. When someone goes to the page I setup, they are prompted to login and then grant access to my project to use their Google Drive account (Specific scope: https://www.googleapis.com/auth/drive). I then setup the script to print the refresh_token for that account on the screen. I copied that string an put it into my server when now I can easily send httpRequests to:
https://www.googleapis.com/oauth2/v3/token/ to get an access token and to:
https://www.googleapis.com/upload/drive/v2/files to upload files.
I link it at the top of this edit, but this answer shows you how to get a refresh token using my php method. I never spent the time to try an figure out how to get a refresh token any other way, but if you read my whole long answer I think I mention that I believe that this can also be done with the Android Google Drive API.
I have tried to help so many people with this problem, maybe I should just start a blog and make a tutorial about it ;)
need help.
I tried to start with https://developers.facebook.com/docs/marketing-api/dynamic-product-ads/ads-management/v2.3
created account. Approved it by phone.
created a business account, an ad account, an app, and so on.
linked app to ad accont like this https://developers.facebook.com/docs/marketing-api/access#standard_accounts.
Now i tried to create product catalog. i am getting same error all the time:
The app is not whitelisted to use this API
i tried to call api to cteate/list/managment product catalog.
when i did, the same by UI - i can create product catalog & feed.
but by API - all time error.
i do not understand what it need?
now try to create product set:
GET /<product_catalog ID>/product_sets/?
access_token=<my access token from app with full rights get from exploer>
{
"error": {
"message": "(#200) The app is not whitelisted to use this API",
"type": "OAuthException",
"code": 200
}
}
try to create the same:
POST : /v2.3/<product_catalog ID>/product_sets/?access_token=<my access token from app with full rights get from exploer>&name=my new prod set
{
"error": {
"message": "(#275) Ad account cannot be determined for this request",
"type": "OAuthException",
"code": 275
}
}
So what Are the changes i needed to make it work?
is it any way to made api calls work correctly?
p.s.
i guess something wrong in settings - i run unit tests in SDK - have the same situation. i have read about that problems with game app - but my app - is not a game, so i cant use solution in my situation.
if some body understand what whitelist API want - please help!
Thanks.
Hopefully this helps someone else: I was also trying to create a Product Catalog via the API in Development, and got "The app is not whitelisted to use this API".
I solved it by creating an admin system user, and generating an access token with the business_management permission.
The error is explained by the documentation you linked to - unless your app is approved for Standard access to the API it can only access a specific number of ad accounts and those accounts need to be pre-configured in the app settings
Many of the business manager APIs can't be used because they're not tied to one of those pre-specified accounts (hence the Ad account cannot be determined for this request error).
In general, the business manager APIs likely won't work for you until your app has access at the standard level, though some will if they're account-specific
You can't be an app admin and a tester/developer at the same time. You should create another facebook account for tests.
This happens also when the access token used is not from your app which has Standard Access. Also, note the dev version of the same app will not work.