I'm trying to make a request in Go client.AnnotateVideo(ctx, &annotateVideoRequest) to the Google Cloud Video Intelligence API using the package cloud.google.com/go/videointelligence/apiv1.
I noticed that if I'm on a Google VM, i don't need any credentials or environment variable because the API says:
For API packages whose import path is starting with "cloud.google.com/go",
such as cloud.google.com/go/storage in this case, if there are no credentials
provided, the client library will look for credentials in the environment.
But I guess I can't authenticate because I'm running a Docker Container inside the Google VM, and I don't know if I really need a credentials file in that docker container, because I don't know if the library automatically creates a credentials file, or it just check if there is a $GOOGLE_APPLICATION_CREDENTIALS and then use that (But that makes no sense. I'm on a GOOGLE VM, and I'm supposed to have that permission).
The error is:
PermissionDenied: The caller does not have permissions
Some links that might be helpful:
https://pkg.go.dev/cloud.google.com/go/storage
https://cloud.google.com/docs/authentication#environment-service-accounts
https://cloud.google.com/docs/authentication/production#auth-cloud-implicit-go
https://cloud.google.com/video-intelligence/docs/common/auth#adc
Thanks in advance!
Related
Due to security policy, connecting to AWS programmatically with PowerShell using an Access/Secret Key is not allowed at our organization anymore, and needs to be replaced with AWS SSO. But I didn't find any clear documentation on how to actually connect to AWS with PowerShell, using AWS SSO. On AWS official documentation for PowerShell Cmdlets, I can see a cmdlet named: Close-SSOSession, which is very straight forward about what is does. but which cmdlet is used to open the session in the first place? I would expect something like: Open-SSOSession. I also need to mention, that we are not allowed to install AWS CLI V2 on our Windows servers, as only the AWS PowerShell Module is approved to use by developers.
I am trying to get oAuth2.0 token to the protected resource using InteractiveBrowserCredential flow.
This is working from my local jupyter notebook however when i am trying to run it from Databricks notebook, it is unable to open browser (as Databricks cluster has no browser installed) and giving me below message
Found no browser in current environment. If this program is being run inside a container which has access to host network (i.e. started by `docker run --net=host -it ...`), you can use browser on host to visit the following link. Otherwise, this auth attempt would either timeout (current timeout setting is None) or be aborted by CTRL+C. Auth URI: https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A44093&scope={resource_id}%2Fuser_impersonation+offline_access+openid+profile&state=EvgdkFcNZTuJG&code_challenge=KR8zwfjhkuKYTGSlbaYAJNLVjXZHiE&code_challenge_method=S256&nonce=33a1a12813342535455f398GHATf9c2cf21a8&client_info=1
I am trying to find out if there a way i can make it work, (by somehow using public redirect_uri to the Databricks cluster and driver node or in similar way). I can alternatively use device_code flow (it is working) however i want to see if i can by-pass one extra step of entering device code and directly authenticate using browser.
Please find the sample code i am using now below
import msal
app = msal.PublicClientApplication(self.CLIENT_ID, authority=self.AUTHORITY,token_cache= msal.TokenCache())
result = app.acquire_token_interactive(scopes=self.SCOPE)
I am running an application inside of Docker that requires me to leverage google-bigquery. When I run it outside of Docker, I just have to go to the link below (redacted) and authorize. However, the link doesn't work when I copy-paste it from the Docker terminal. I have tried port mapping as well and no luck either.
Code:
credentials = service_account.Credentials.from_service_account_file(
key_path, scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
# Make clients.
client = bigquery.Client(credentials=credentials, project=credentials.project_id,)
Response:
requests_oauthlib.oauth2_session - DEBUG - Generated new state
Please visit this URL to authorize this application:
Please see the available solutions on this page, it's constantly updated.
gcloud credential helper
Standalone Docker credential helper
Access token
Service account key
In short you need to use a service account key file. Make sure you either use a Secret Manager, or you just issue a service account key file for the purpose of the Docker image.
You need to place the service account key file into the Docker container either at build or runtime.
I am trying to use the snowflake connector inside docker container. I want to use the externalbrowser authenticator so that I can make connection using Okta credentials but the connector is failing with below mentioned error.
DatabaseError: (snowflake.connector.errors.DatabaseError) 250008 (08001): None: Failed to connect to DB: xx.snowflakecomputing.com:443, Unable to open a browser in this environment.
(Background on this error at: http://sqlalche.me/e/13/4xp6)
As an aside, I'd recommend removing your account name from the question (shown in the error).
You are correct that the "externalbrowser" option is a browser-based SSO. It might be possible to get this running a docker container with some extended software and configuration, but I wouldn't recommend it as it doesn't seem worth the effort.
Instead, there's alternative SSO authentication methods you can look at such as Native SSO Okta, key-pair authentication, or external OAuth. These won't require the browser.
I read everything in this post and multiple others but nothing is working... I cannot use Google Credentials to access my git Repo in Google Cloud Platform
I have Jenkins running in a Docker Container in Google Cloud Platform. I have Source Code in a Google Cloud Repository that I want to use for a Build.
On the Google Cloud Platform side I created a Service User, gave the User the following Roles:
Project Worker
Source-Repository Admin
Storageobject creator
ComputeEngine creator
I created the JSON File and downloaded it.
On The Jenkins Side I installed the Google OAuth Credentials and the Google Container Registry Auth Plugin.
I added new Credentials "Google Service Account from private key" and added the json file.
So, if I now want to create a new Job (Freestyle or pipeline does not matter) I see the following:
I see the credentials I created but for the "Google Container Registry". As soon as I add the repository URL, "https://source.developers.google.com/p...." The Drop-down is cleared and all is gone.
I also took a look at the credentials.xml and job file, to see, if I can rewrite there something by myself. The Google Credentials do not have an credentialId like others...
<com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials plugin="google-oauth-plugin#0.6">
<module/>
<projectId>testprojekt</projectId>
<serviceAccountConfig class="com.google.jenkins.plugins.credentials.oauth.JsonServiceAccountConfig">
<jsonKeyFile>/var/jenkins_home/gauth/key8529180263669390055.json</jsonKeyFile>
</serviceAccountConfig>
</com.google.jenkins.plugins.credentials.oauth.GoogleRobotPrivateKeyCredentials>
I'm currently out of ideas... would be happy for any hint.
Thank you!