Unable to set notifications for bucket - google-cloud-storage

I am using the golang storage API to add notifications to my bucket.
https://godoc.org/cloud.google.com/go/storage#BucketHandle.AddNotification
I am getting the following error: Unable to set notifications for bucket: googleapi: Error 403: The service account 'dev-lm#gs-project-accounts.iam.gservice
account.com' does not have permission to publish messages to to the Cloud Pub/Sub topic '//pubsub.googleapis.com/projects/dev-lm/topics/local_sanket_ms-transcript-incoming', or that topic does not exist., forbidden
Clearly, its a permission issue. Although -- I am not sure why the service account looks like that. I am not sure where this account is being construed from or how do I override it with an account I know is valid. Any hints where to look?

Related

Azure media service v3 - Create job with sas url is failing due to Access issue

I'm trying to create a asset from code, but i'm getting below error:
{
"error": {
"code": "Conflict",
"message": "The server received a 403 Forbidden error when accessing Azure Storage. Please check your permissions to the storage accounts linked to the media account.",
"details": [
{
"code": "AuthorizationFailure",
"message": "The server received a 403 Forbidden error when accessing Azure Storage. Please check your permissions to the storage accounts linked to the media account."
}
]
}
}
Also, I tried directly in portal with generated sas url, though I'm facing access issue, I can confirm AAD service principle has assigned "contributor" role, but still I get error.
Error:
The client 'xx' with object id 'xx' does not have authorization to perform action 'Microsoft.Media/mediaservices/assets/write' over scope '/subscriptions/xx/resourceGroups/xx/providers/Microsoft.Media/mediaservices/itskssearchmediadev/assets/ignite-mp4-20220207-192422' or the scope is invalid. If access was recently granted, please refresh your credentials.
What else permission do I need to provide?
Note: I also tried with my personal a/c which has full access, it works there.
The Storage Account Contributor role permits management of storage accounts (e.g., creating and deleting storage accounts), but it does not permit access to data in the storage account.
To allow Media Services to write to the storage account, the Managed Identity must be granted a role that has access to the storage account data, for example, Storage Blob Data Contributor.

Google Cloud Composer Environment Setup Error: Connect to Google Cloud Storage

I am trying to create an environment in Google Cloud Composer. Link here
When creating the environment from scratch and selecting all the default fields, the following error appears:
CREATE operation on this environment failed 22 hours ago with the following error message:
CREATE operation failed. Composer Agent failed with: Cloud Storage Assertions Failed: Unable to write to GCS bucket.
GCS bucket write check failed.
I then created a google cloud storage bucket within the same project to see if that would help and the same error still appears.
Has anyone been able successfully create a Google Cloud Composer environment and if so please provide guidance on why this error message continues to appear?
Update: Need to update permissions to allow access it seems like. Here is a screenshot of my permissions page but not editable.
It seems like you haven't given the required IAM policies to the service account. I would advise you to read more about the IAM policies on Google Cloud here
When it comes to the permissions of the bucket, there are permissions like the Storage Object Admin that might fit your needs.

Error: The access token is from the wrong issuer 'https://sts.windows.net/***/'

Recently changed azure subscription and I need to add the same in Azure DevOps – service connection. When trying to create new service connection for the changed subscription I am getting below error -
Failed to query service connection API: 'https://management.azure.com/subscriptions/{id}/resourcegroups?api-
version=2016-02-01'. Status Code: 'Unauthorized', Response from
server:
'{"error":{"code":"InvalidAuthenticationTokenTenant","message":"The
access token is from the wrong issuer
'https://sts.windows.net/{id}/'. It must match the tenant
'https://sts.windows.net/{id}/' associated with this
subscription. Please use the authority (URL)
'https://login.windows.net/{id}' to get the token. Note, if the
subscription is transferred to another tenant there is no impact to
the services, but information about new tenant could take time to
propagate (up to an hour). If you just transferred your subscription
and see this error message, please try back later."}}'
With the subscription - azure active directory is also changed. Do I need to change AD in AzureDevops? or How do I resolve this error?
Thanks.
If your subscription is in another tenant, you may need to change it.
See : https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-azure-ad-connection?view=azure-devops

NodeRED bluemix/IBM Cloud starter installation fails with IAM error

The installation of the NodeRED bluemix/IBM Cloud starter application fails with an IAM error message complaining about insufficient rights:
FAILED
Server error, status code: 502, error code: 10001, message: Service broker error: You do not have the required permission to create an instance. You must be assigned the IAM Editor role or higher. Contact the account owner to update your access.
Does anybody know how to fix this issue?
Looks like you don’t have proper IAM access permission. If you are the owner of the account, you can set the required permissions following the steps in this link .If you are not the owner ask the account owner for the permissions.
For best practices, refer this solution tutorial
The issue was actually related to the fact that the bluemix starter application tries to create a lite plan instance of cloudant. In my case, that was not possible because there already was such an instance and you are allowed only one per CF organization.
The solution was to patch the pipeline.yml to create a standard plan instance:
cf create-service cloudantNoSQLDB Standard "${CLOUDANT_NAME}"

403 forbidden error when using service account with pub/sub publisher role

Created a service account with 1 role : Pub/Sub Publisher.
trying to publish a message to a topic I get :
{ message: 'User not authorized to perform this action.',
domain: 'global',
reason: 'forbidden' }
when using a project-owner service account I succeed in publishing the message.
tried using both google-cloud and googleapis node packages and with both I faced the same behaviour.
What am I doing wrong?
Thanks.
When I went to the specific topic -> permissions , I saw the service account appear as inherit permission , I then added the service account's client_email specifically with the same role (pub/sub publisher) and saw the inherited changed to "mixed" , tried again and succeeded.