I have some simple Python code running as a REST service I use to automate the creation of Google calendar entries. The auth part of the code looks like this:
store = file.Storage('token.json')
creds = store.get()
if not creds or creds.invalid:
flow = client.flow_from_clientsecrets('credentials.json', SCOPES)
creds = tools.run_flow(flow, store)
calendar_service = build('calendar', 'v3', credentials=creds)
I'm attempting to move this to an AWS Lambda function. The same code running as a Lambda function results in the following error.
[ERROR] OSError: [Errno 30] Read-only file system: 'token.json'
Traceback (most recent call last):
File "/function/app-google-calendar.py", line 54, in handler
insert_result = calendar_service.events().insert(calendarId=MENU_CALENDAR_ID, body=new_event).execute()
File "/function/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs)
File "/function/googleapiclient/http.py", line 922, in execute
resp, content = _retry_request(
File "/function/googleapiclient/http.py", line 190, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "/function/oauth2client/transport.py", line 186, in new_request
credentials._refresh(orig_request_method)
File "/function/oauth2client/client.py", line 761, in _refresh
self._do_refresh_request(http)
File "/function/oauth2client/client.py", line 802, in _do_refresh_request
self.store.locked_put(self)
File "/function/oauth2client/file.py", line 85, in locked_put
f = open(self._filename, 'w')
The root cause appears to be pretty clear. To wit, Lambda file system is read only. I however have been unable to find documentation or an example for how to do this oauth dance without requiring file system write access.
Using ssm or secrets manager for storing credentials or even environment variables is much better then using files. This can get complicated.
parameter = client.get_parameter(Name='/Google/token', WithDecryption=True)
print(parameter)
return parameter ['Parameter']['Value']
In the course of debugging this I ended up with some other strange errors, and in investigating those discovered that my root cause was a mismatch in architectures between my Mac and Lambda. I added --platform=linux/amd64 to my docker build command.
This still didn't my original file system R/W issue with the JSON token file. /tmp is writable, but it looks like it is wiped clean at image startup, so putting the credential files there when building your image doesn't work. I ended up adding the following to handler:
def handler(event, context):
# Note moving token.json and credentials.json from same directory as python code to /tmp
# because python code directory is not R/W and the Oauth dance to auth to google requires
# the token file to be rewritten. Do this only if in lambda environment. We need to do this here and
# not when the image is built, because /tmp seems to be wiped when the function image is starting
if len(event) > 0:
# We know we're in the lambda environment
copyfile('/function/token.json', '/tmp/token.json')
store = file.Storage('/tmp/token.json')
else:
# running locally
store = file.Storage('token.json')
Related
Environment details
OS type and version:
Python version: 3.9.0
pip version: 22.0.4
google-api-python-client version: 2.48.0
Description
Hi, I'm running into an error when trying to fetch the Google Play Console reports of our mobile apps (such as installations, errors etc.). I first tried with this manual but it seems to be outdated and didn't work. So after some research I changed it similar to this one, that it fits to the current google api (see code snippet below).
Steps I have done:
Created a project on "console.cloud.google.com"
Created the service account
Created the json key file
Invited the service account on play.google.com/console and gave him full admin rights (normally "see app information and download bulk reports" should be enough)
Added the role "Storage Object Viewer" to the Service account in https://console.cloud.google.com/iam-admin/iam?authuser=1&project=myproject
waited for 24h to make sure there are no errors because of syncs or so.
(I anonymized some of the values below).
Code example
from googleapiclient.discovery import build
from google.oauth2 import service_account
scopes = ['https://www.googleapis.com/auth/devstorage.read_only','https://www.googleapis.com/auth/cloud-platform.read_only']
key_file_location = 'files/access_token/mykeyfile.json'
cloud_storage_bucket = r'pubsite_prod_rev_00123456789'
report_to_download = 'installs/installs_com.my.app_202201_country.csv'
creds = service_account.Credentials.from_service_account_file(key_file_location,scopes=scopes)
service = build('storage','v1', credentials=creds)
print(service.objects().get(bucket = cloud_storage_bucket, object= report_to_download).execute())
Stack trace
Traceback (most recent call last):
File "C:\Users\myuser\project\z_10_ext_google_play_store.py", line 46, in <module>
print(service.objects().get(bucket = cloud_storage_bucket, object= report_to_download).execute())
File "D:\Programs\Python\lib\site-packages\googleapiclient\_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "D:\Programs\Python\lib\site-packages\googleapiclient\http.py", line 923, in execute
resp, content = _retry_request(
File "D:\Programs\Python\lib\site-packages\googleapiclient\http.py", line 191, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "D:\Programs\Python\lib\site-packages\google_auth_httplib2.py", line 209, in request
self.credentials.before_request(self._request, method, uri, request_headers)
File "D:\Programs\Python\lib\site-packages\google\auth\credentials.py", line 133, in before_request
self.refresh(request)
File "D:\Programs\Python\lib\site-packages\google\oauth2\service_account.py", line 410, in refresh
access_token, expiry, _ = _client.jwt_grant(
File "D:\Programs\Python\lib\site-packages\google\oauth2\_client.py", line 199, in jwt_grant
six.raise_from(new_exc, caught_exc)
File "<string>", line 3, in raise_from
google.auth.exceptions.RefreshError: ('No access token in response.', {'id_token': 'eyJ...'})
I hope that I provided enough information and I'm sorry in advance if I made a stupid mistake.
I would like to extract the reporting data of our mobile apps from Google Play Console.
According to this documentation, we have to use SignedJwtAssertionCredentials to authenticate. After some errors and research it seems that the code snippet in the doc is kind of outdated (since SignedJWTAssertionCredentials is not available anymore). Instead we tried the following to automatically download the reports:
from oauth2client.service_account import ServiceAccountCredentials
from apiclient.discovery import build
scopes = ['https://www.googleapis.com/auth/analytics.readonly']
key_file_location = 'files/access_token/mykeyfile.json'
credentials = ServiceAccountCredentials.from_json_keyfile_name(key_file_location, scopes)
cloud_storage_bucket = 'pubsite_prod_rev_123456789'
report_to_download = 'installs/installs_com.someapp.etc.etc_2021*'
storage = build('storage', 'v1', credentials=credentials)
print( storage.objects().get(bucket = cloud_storage_bucket,object = report_to_download).execute())
Now the problem is, that we receive the following error message:
Traceback (most recent call last):
File "C:\Users\dev\dev\z_10_ext_google_play_store.py", line 30, in <module>
print( storage.objects().get(bucket = cloud_storage_bucket,object = report_to_download).execute())
File "D:\Software\Python\lib\site-packages\googleapiclient\_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "D:\Software\Python\lib\site-packages\googleapiclient\http.py", line 938, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://storage.googleapis.com/storage/v1/b/pubsite_prod_rev_123456789/o/installs%2Finstalls_com.someapp.etc.etc_2021%2A?alt=json returned "Insufficient Permission". Details: "[{'message': 'Insufficient Permission', 'domain': 'global', 'reason': 'insufficientPermissions'}]">
Does anyone have an idea? Our service account even has admin rights in play console (which normally would be to much..)
UPDATE
As DaImTo pointed out, I was missing some scopes which lead me to a different line of scope definition:
scopes = ['https://www.googleapis.com/auth/analytics.readonly', 'https://www.googleapis.com/auth/devstorage.read_only'
,'https://www.googleapis.com/auth/cloud-platform.read_only']
But I still receive some errors, now because of the missing access token which is weird because the .json file contains everything necessary:
Traceback (most recent call last):
File "C:\Users\andre\Desktop\DAWSE\z_10_ext_google_play_store.py", line 33, in <module>
print( storage.objects().get(bucket = cloud_storage_bucket,object = report_to_download).execute())
File "D:\Sonstige Programme\Python\lib\site-packages\googleapiclient\_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "D:\Sonstige Programme\Python\lib\site-packages\googleapiclient\http.py", line 923, in execute
resp, content = _retry_request(
File "D:\Sonstige Programme\Python\lib\site-packages\googleapiclient\http.py", line 191, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "D:\Sonstige Programme\Python\lib\site-packages\oauth2client\transport.py", line 159, in new_request
credentials._refresh(orig_request_method)
File "D:\Sonstige Programme\Python\lib\site-packages\oauth2client\client.py", line 749, in _refresh
self._do_refresh_request(http)
File "D:\Sonstige Programme\Python\lib\site-packages\oauth2client\client.py", line 785, in _do_refresh_request
self.access_token = d['access_token']
KeyError: 'access_token'
You appear to be using the objects.get method
The authenticated user must have sufficient permission to use this method. To start with i would ensure your service account has access.
After that i would check your scopes you are currently only loading the scope for google analytics api.
scopes = ['https://www.googleapis.com/auth/analytics.readonly']
This scope will not grant you access to the google cloud storage objects get method. For that you need to use one of the google cloud storage scopes
I am trying to add authorization to my python Cloud Functions. I created a service account in the GCP project and generated keys. The test client code (not in GCP) to call the Cloud Function looks like this:
from google.oauth2 import service_account
from google.auth.transport.requests import AuthorizedSession
SERVICE_ACCOUNT_FILE = '<my_project_key_file>.json'
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE,
scopes=['https://www.googleapis.com/auth/userinfo.email'])
authed_session = AuthorizedSession(credentials)
response = authed_session.get('https://<my_project>.cloudfunctions.net/authValidation')
I know this code correctly gets the JWT bearer token from Google and is added to the Authorization header in the call to my Cloud Function. I'm just having a hard time validating that token in the Cloud Function. The relevant part of that code looks like this:
from google.oauth2 import id_token
from google.auth.transport import requests
def hello_world(request):
# from https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library
idinfo = id_token.verify_oauth2_token(request.headers.get('Authorization')[7:]), requests.Request())
I know the id token is correct because the manual validation (using https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxx ) returns exactly what I would expect.
The error logging stacktrace I get is:
Traceback (most recent call last):
File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 346, in run_http_function
result = _function_handler.invoke_user_function(flask.request)
File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 217, in invoke_user_function
return call_user_function(request_or_event)
File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 210, in call_user_function
return self._user_function(request_or_event)
File "/user_code/main.py", line 17, in hello_world
idinfo = id_token.verify_oauth2_token(request.headers.get('Authorization')[7:], requests.Request())
File "/env/local/lib/python3.7/site-packages/google/oauth2/id_token.py", line 141, in verify_oauth2_token
certs_url=_GOOGLE_OAUTH2_CERTS_URL)
File "/env/local/lib/python3.7/site-packages/google/oauth2/id_token.py", line 122, in verify_token
return jwt.decode(id_token, certs=certs, audience=audience)
File "/env/local/lib/python3.7/site-packages/google/auth/jwt.py", line 219, in decode
header, payload, signed_section, signature = _unverified_decode(token)
File "/env/local/lib/python3.7/site-packages/google/auth/jwt.py", line 139, in _unverified_decode
header = _decode_jwt_segment(encoded_header)
File "/env/local/lib/python3.7/site-packages/google/auth/jwt.py", line 112, in _decode_jwt_segment
six.raise_from(new_exc, caught_exc)
File "<string>", line 3, in raise_from
ValueError: Can't parse segment: b'\xc9\xad\xbd'
What am I missing here? Thanks
By setting the GOOGLE_APPLICATION_CREDENTIAL environment variable in your local system, your client will run under the context of that service account without having to worry about auth. You don't need to code the path to the keyfile.
Also applies to deploying the Cloud Function, and testing it locally. When you deploy a Cloud Function, it runs as the AppEngine default service account, or the service account you specify with the --service-account parameter:
https://cloud.google.com/sdk/gcloud/reference/functions/deploy
Reference:
https://cloud.google.com/docs/authentication/production
This way you don't need to push the key to the server or worry about it in git, and you also don't need to make any code changes while running locally vs remotely.
Make sure the string passed to id_token.verify_oauth2_token() does not have the "Bearer " still at the start of it.
Trying to search youtube videos using this code: https://github.com/youtube/api-samples/blob/master/python/search.py
But whatever I try I get below error even though I provided the api key:
Traceback (most recent call last):
File "search.py", line 56, in <module>
youtube_search(args)
File "search.py", line 18, in youtube_search
developerKey=DEVELOPER_KEY)
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\oauth2client\_helpers.py", line 133, in positional_wrapper
return wrapped(*args, **kwargs)
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\googleapiclient\discovery.py", line 226, in build
credentials=credentials)
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\oauth2client\_helpers.py", line 133, in positional_wrapper
return wrapped(*args, **kwargs)
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\googleapiclient\discovery.py", line 358, in build_from_document
credentials = _auth.default_credentials()
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\googleapiclient\_auth.py", line 40, in default_credentials
return oauth2client.client.GoogleCredentials.get_application_default()
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\oauth2client\client.py", line 1264, in get_application_default
return GoogleCredentials._get_implicit_credentials()
File "C:\Python27\Scripts\tvapp_env\lib\site-packages\oauth2client\client.py", line 1254, in _get_implicit_credentials
raise ApplicationDefaultCredentialsError(ADC_HELP_MSG)
oauth2client.client.ApplicationDefaultCredentialsError: The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
Please help, im running this from windows machine.
Or is there better code to make youtube search.
Thanks
Seems like you are not running the app in either Google app engine or in Google compute engine. So there are not going to be any default credentials to use so you have to download the credentials from the google developer console first and use those credentials in your application. Please refer this document for further details.
Good evening, i've been trying to migrate my blogger python app to oauth2 since the good old Clientlogin() has been deprecated and erased.
So, basically i searched through the entire web and couldn't manage to make my application to work correctly.
This is the basic code im using for testing:
FLOW = flow_from_clientsecrets('/home/b/client_secret.json',scope='https://www.googleapis.com/auth/blogger',message="Client Secrets Not Found")
storage = Storage('blogger.dat')
credentials = storage.get()
parser = argparse.ArgumentParser(parents=[tools.argparser])
flags = parser.parse_args()
if credentials is None or credentials.invalid:
credentials = run_flow(FLOW, storage, flags)
if credentials.access_token_expired:
credentials.refresh(httplib2.Http())
SCOPE = 'https://www.blogger.com/feeds'
token = gdata.gauth.OAuth2TokenFromCredentials(credentials)
client = gdata.blogger.client.BloggerClient()
token.authorize(client)
post = client.add_post(blog_id, title="blah", body="blah", labels="label", draft=False, title_type="xhtml", body_type="html")
I get a 401 error code, unauthorized everytime i try to do this.
Traceback (most recent call last):
File "/home/b/.eclipse/org.eclipse.platform_4.4.2_1473617060_linux_gtk_x86_64/plugins/org.python.pydev_4.0.0.201504132356/pysrc/pydevd.py", line 2278, in <module>
globals = debugger.run(setup['file'], None, None)
File "/home/b/.eclipse/org.eclipse.platform_4.4.2_1473617060_linux_gtk_x86_64/plugins/org.python.pydev_4.0.0.201504132356/pysrc/pydevd.py", line 1704, in run
pydev_imports.execfile(file, globals, locals) # execute the script
File "/home/b/workspace/BloggerPy/simpleblogger.py", line 53, in <module>
post = client.add_post(blog_id, title="hola", body="holaaa", labels="label", draft=False, title_type="xhtml", body_type="html", token=token)
File "/usr/local/lib/python2.7/dist-packages/gdata/blogger/client.py", line 111, in add_post
return self.post(new_entry, BLOG_POST_URL % blog_id, auth_token=auth_token, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/gdata/client.py", line 690, in post
desired_class=desired_class, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/gdata/client.py", line 298, in request
**kwargs)
File "/usr/local/lib/python2.7/dist-packages/gdata/client.py", line 307, in request
response, Unauthorized)
gdata.client.Unauthorized: Unauthorized - Server responded with: 401, User does not have permission to create new post
Can someone help me out with this? I'd really appreciate it :)
Greetings
Finally i've fixed my issue with gdata.gauth:
I used auth2token = gdata.gauth.OAuth2Token(client_id,client_secret,scope,user_agent)
After getting the authorization token i generate an authorized url to get an access code with auth2token.generate_authorize_url(redirect_uri=URL,approval_prompt="force").
once you get this url, you manually get the code and generate a refresh token, with which you generate an access token:
token = auth2token.get_access_token(code). Easy enough. For any other information as to how to save the token to a blob string in a file here's the reference:
gdata-python-api + Analytics with simple auth