search

Triple-T / gradle-play-publisher

GPP is Android's unofficial release automation Gradle Plugin. It can do anything from building, uploading, and then promoting your App Bundle or APK to publishing app listings and other metadata.
MIT License
4.13k stars 341 forks source link

Publishing app returns 403 global forbidden #761

Closed felipeloha closed 4 years ago

felipeloha commented 4 years ago

Hi!

We are trying to use com.github.triplet.play to publish our app as ./gradlew publishBundle --info and we get:

FAILURE: Build failed with an exception.
What went wrong:
Execution failed for task ':generateEditForCoDotPulpoDotWms'.
> A failure occurred while executing com.github.triplet.gradle.play.tasks.GenerateEdit$Generator
   > 403 Forbidden
     {
       "code" : 403,
       "errors" : [ {
         "domain" : "global",
         "message" : "Forbidden",
         "reason" : "forbidden"
       } ],
       "message" : "Forbidden"
     }

We are using a service account and we get a token but the following POST results in a 403:

curl -v --compressed -X POST -H 'Accept-Encoding: gzip' -H 'Authorization: <Not Logged>' -H 'User-Agent: gradle-play-publisher Google-API-Java-Client Google-HTTP-Java-Client/1.30.0 (gzip)' -H 'x-goog-api-client: java/1.8.0 http-google-androidpublisher/1.26.0 mac-os-x/10.15.2' -H 'Content-Encoding: gzip' -d '@-' -- 'https://www.googleapis.com/androidpublisher/v3/applications/co.pulpo.wms/edits' << $$$

The token is not a problem and when we disable the account, it gives a 400. So it is interacting with the right account and permissions.

The service account is an owner and in the google play console it is a release manager. Those rights should be enough.

Could you please tell me if I am missing something or point me into the right direction how to debug this further?

Thanks in advance

SUPERCILEX commented 4 years ago

Why are you curling things? Please follow these instructions: https://github.com/Triple-T/gradle-play-publisher/blob/master/README.md#authenticating-gradle-play-publisher. Also, if you actually ran that exact curl command, it's definitely not going to work since the token is invalid: Authorization: <Not Logged>.

SUPERCILEX commented 4 years ago

Also, this might help: https://github.com/Triple-T/gradle-play-publisher/issues/751

felipeloha commented 4 years ago

Sorry I will change the description. I was ./gradlew publishBundle and the curl are the logs I get when I ./gradlew publishBundle --info The account has owner rights as described in #751. I don't know what else I need to configure

The Authorization: <Not Logged>. is something gradle does to protect the tokens. The token validation call is successful:

POST https://oauth2.googleapis.com/token
Accept-Encoding: gzip
User-Agent: Google-HTTP-Java-Client/1.30.0 (gzip)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 781

returns 200

Do you have any other idea?

SUPERCILEX commented 4 years ago

Oh gotya, I was really confused. Sorry about that. Anyway, are you trying to publish to production? If so you'll need to check that extra box here that allows managing production releases: https://github.com/Triple-T/gradle-play-publisher/blob/master/assets/min-perms.png

felipeloha commented 4 years ago

I am publishing to internal but I gave it the release manager role which has all the rights and the service account is an owner. any other ideas?

SUPERCILEX commented 4 years ago

Not really, just the obvious questions. You sure the package name is correct? You sure the service account email is correct? You sure Play Console is linked to the right GCP project? (The same one the service account is from.?) You sure the credentials are correct?