Open marco-lancini opened 4 years ago
@skiptomyliu Can you take a look at this GSuite issue when you get a moment?
the my_customer
refers to the current customer/org that the application belongs to. https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers , but replacing it with your customerId
should also work.
I would still double check that the steps have been completed on your step 3: ("G Suite Domain-Wide Delegation of Authority").
You should have two accounts:
Hi @skiptomyliu, thanks for replying.
I've made sure to have:
We also tried applying these scopes:
The error we are facing now is the following:
INFO:cartography.sync:Starting sync stage 'gsuite'
INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/admin/directory_v1/rest
DEBUG:cartography.intel.gsuite.api:Syncing GSuite Users
INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/admin/directory/v1/users?customer=my_customer&maxResults=500&orderBy=email&alt=json
INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
INFO:oauth2client.client:Refreshing access_token
INFO:oauth2client.client:Failed to retrieve access token: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
ERROR:cartography.sync:Unhandled exception during sync stage 'gsuite'
Traceback (most recent call last):
File "/app/cartography/sync.py", line 69, in run
stage_func(neo4j_session, config)
File "/app/cartography/intel/gsuite/__init__.py", line 68, in start_gsuite_ingestion
api.sync_gsuite_users(session, resources.admin, config.update_tag, common_job_parameters)
File "/app/cartography/intel/gsuite/api.py", line 229, in sync_gsuite_users
resp_objs = get_all_users(admin)
File "/app/cartography/intel/gsuite/api.py", line 108, in get_all_users
resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 851, in execute
method=str(self.method), body=self.body, headers=self.headers)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 165, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/oauth2client/transport.py", line 159, in new_request
credentials._refresh(orig_request_method)
File "/usr/local/lib/python3.7/site-packages/oauth2client/client.py", line 749, in _refresh
self._do_refresh_request(http)
File "/usr/local/lib/python3.7/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
Traceback (most recent call last):
File "/usr/local/bin/cartography", line 11, in <module>
load_entry_point('cartography', 'console_scripts', 'cartography')()
File "/app/cartography/cli.py", line 241, in main
return CLI(default_sync, prog='cartography').main(argv)
File "/app/cartography/cli.py", line 221, in main
return cartography.sync.run_with_config(self.sync, config)
File "/app/cartography/sync.py", line 135, in run_with_config
return sync.run(neo4j_driver, config)
File "/app/cartography/sync.py", line 69, in run
stage_func(neo4j_session, config)
File "/app/cartography/intel/gsuite/__init__.py", line 68, in start_gsuite_ingestion
api.sync_gsuite_users(session, resources.admin, config.update_tag, common_job_parameters)
File "/app/cartography/intel/gsuite/api.py", line 229, in sync_gsuite_users
resp_objs = get_all_users(admin)
File "/app/cartography/intel/gsuite/api.py", line 108, in get_all_users
resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 851, in execute
method=str(self.method), body=self.body, headers=self.headers)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 165, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/oauth2client/transport.py", line 159, in new_request
credentials._refresh(orig_request_method)
File "/usr/local/lib/python3.7/site-packages/oauth2client/client.py", line 749, in _refresh
self._do_refresh_request(http)
File "/usr/local/lib/python3.7/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
Hrmm, I wonder if we mixed up the steps as it appears ordering may be required...
https://stackoverflow.com/a/59067603/914941
"Delegating domain-wide authority to the service account" MUST be enabled before you add service account and its scopes on "Manage API client access" page in G Suite Admin. Otherwise it will fail with "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested." error and require removing the API client and adding it again.
Hi @skiptomyliu, just to be super sure we tried both ways and we are still facing the same issue
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
We are still blocked by this issue
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Hi stale
bot, this is still an ongoing issue :)
Hi, some updates on this:
So it really seems this issue is related to some calls made by Cartography, rather than to a faulty setup?
Hi, Is anyone managed to overcome HTTP error 403 "Not Authorized to access this resource/api"?
Unfortunately no, I had to put on hold the GSuite integration for my use cases 😟
Ah man, I wonder what secret sauce we've got going on because this just works™️ on our deployment.
@zamirTo1 do you get the same error messages as @marco-lancini? Can you add more details?
Hi @achantavy I do get the same error as @marco-lancini, I've also tried to build the GSuite section by myself according to this guide: https://developers.google.com/admin-sdk/directory/v1/guides/delegation same result :(
Yeah can confirm I followed that process as well, and got it working for RBACSync. This leads me to think it might be something related to Cartography code itself 🤔
I've documented the approach I took, step-by-step, here: https://www.marcolancini.it/2020/blog-gsuite-domain-delegation/ Hope this helps!
This https://github.com/lyft/cartography/pull/1071 does not solve the issue but allow to use an other auth method (OAuth) that can be considered as a workaround.
Issue: The documentation for setting up the GSuite integration is incomplete and leads towards a
400
errorDescription: Following the README, I:
After this, Cartography crashes with the following output:
I started troubleshooting this and I found the string
my_customer
is hardcoded incartography/intel/gsuite/api.py
:I decided to replace it with the
customerId
of my GSuite org, and then I faced a403 - Not Authorized
error:I tried to add more scopes to the service account (listed below), but I still get Not Authorized:
Please complete the following information::
801bb58
3.7.5
python:3.7
docker image