All geek questions in one place

Compute Engine API call fails with http 404

I need a little help using the Google Compute Engine API from the Engine application code. The following is part of the code that I use to get a list of computer instances (simplified version).

try { final AppIdentityService appIdService = AppIdentityServiceFactory .getAppIdentityService(); AppIdentityService.GetAccessTokenResult result = appIdService .getAccessTokenUncached(Collections .singletonList(ComputeScopes.COMPUTE)); String accessToken = result.getAccessToken(); String url = "https://www.googleapis.com/compute/v1/projects/MYPROJECTID/zones/us-central1-b/instances"; String payload = ""; // Create HTTPRequest and set headers HTTPRequest httpRequest = new HTTPRequest(new URL(url.toString()), HTTPMethod.GET, FetchOptions.Builder.doNotFollowRedirects()); httpRequest.addHeader(new HTTPHeader("Authorization", "OAuth " + accessToken)); httpRequest.addHeader(new HTTPHeader("Host", "www.googleapis.com")); httpRequest.addHeader(new HTTPHeader("Content-Length", Integer .toString(payload.length()))); httpRequest.addHeader(new HTTPHeader("Content-Type", "application/json")); httpRequest.addHeader(new HTTPHeader("User-Agent", "google-api-java-client/1.0")); httpRequest.setPayload(payload.getBytes()); URLFetchService fetcher = URLFetchServiceFactory .getURLFetchService(); HTTPResponse httpResponse = fetcher.fetch(httpRequest); int responseCode = httpResponse.getResponseCode(); if ((responseCode == 200) || (responseCode == 204)) { String contentStr = new String(httpResponse.getContent()); return extractIpsAndInstanceNames(contentStr, prefix); } else { logger.warning("Failed. Response code " + responseCode + " Reason: " + new String(httpResponse.getContent())); }

As you can see, I use AppIdentity to get the access token. Then use it in the request header in the API call.

Basically every time a call fails

 Failed. Response code 404 Reason: { "error": { "errors": [ { "domain": "global", "reason": "notFound", "message": "The resource 'projects/MYPROJECTID' was not found" } ], "code": 404, "message": "The resource 'projects/MYPROJECTID' was not found" } }

Interestingly, if I use the following webapp https://developers.google.com/compute/docs/reference/latest/instances/list#try-it to make the same API call, it succeeds.

So, I looked at what data is sent when this web application makes a request and copies the string of the carrier token and uses it in the "Authorization" header. Oddly enough, the request has already completed successfully without changing anything. Basically this application uses a custom Oauth2 token type - so for me it looks like a problem with a token received through AppIdentity. Can someone point me in the right direction? Thanks!

+3
source share
3 answers

I ran into the same problem and was able to solve it, or maybe I should have thought it over in such a way that it made no sense to me. Hope someone with real knowledge on this subject can explain further. This solution is similar to what E. Anderson answered, but differs in that both the App Engine and the Compute Engine were in the same project.

Here is what I did:

  • In an application running in real mode (not in local developer mode), print the email of the service account. Using Go runtime, I used appengine.ServiceAccount(ctx) .
  • In the Google Developers Console, go to the permissions page for your project and add the email address obtained in the previous step as a member of your project.

Once I did this, I was able to request the Compute Engine REST APIs from App Engine. I have no idea why this step was necessary.

+3
source

Using the appengine app in the same project as the GCE project you are trying to solve? If not, you need to add the service account identifier from the AppEngine application to the project team for the GCE project; look at the "Permissions" tab on the cloud console to see if the AppEngine application has access to the GCE project.

+1
source

To provide an option on Doug's answer :

  • Go to https://appengine.google.com , select your application, and go to the Administration> Application Settings page. Here you can find your email address for the service account. Use this if you want to explicitly provide an email address, i. e. if your design of the computing engine is different from your design of the application engine. If so, follow Doug's answers.

  • At the bottom of the appโ€™s settings page, find the โ€œCloud Integrationโ€ section. Do the integration - it will take a minute.

  • So, if you go to https://console.developers.google.com , select your project and go to the Permissions page for your project (the link is at the bottom left), you will find that your application engine service account is now appears in the list of service accounts, with the rights of rights. 404 must be allowed.

If you want your OAuth authorization code to work on the dev server, this answer might help: fooobar.com/questions/262608 / ...

0
source

Source: https://habr.com/ru/post/971667/

More articles:


All Articles