This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Trying to change GCP service account key for a drupal developer portal deployed on Google Cloud

Posted on 11-06-2023 10:31 PM
usama-abacus
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

When attempting to update the Google Cloud Platform (GCP) service account key for a Drupal-based developer portal deployed on Google Cloud, I am encounteing an error that prevents connection to Apigee Edge although I have selected Apigee X option. The error, "Failed to connect to Apigee Edge. Error message: PERMISSION_DENIED: Permission 'apigee.organizations.get' denied on resource 'organizations/my-organization' (or it may not exist)," is being thrown everytime I try changing the project-id with new service key. 

It was working with my previous project-id and service key, I have given similar permissions for this project as well.

Using Drupal 10 with Apigee Kickstart Developer Portal Theme for Drupalapigeex-connection-settings.png

Attaching screenshots for your reference.

1 5 446
Topic Labels
5 REPLIES 5

Posted on --/--/---- --:-- AM
shishir21
Staff
Reply posted on --/--/---- --:-- AM

@usama-abacus 
I think its permission related issue,

Authorization requires for `apigee.organizations.get`  on IAM permission


See https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations/get

Posted on --/--/---- --:-- AM
usama-abacus
Bronze 1
Bronze 1
In response to shishir21
Reply posted on --/--/---- --:-- AM

@shishir21 thank you for the swift response, I have given the same permissions to both my projects. The one with I deployed the drupal portal initially is working but the other one which I want to replace on the deployed portal throws this error

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to usama-abacus
Reply posted on --/--/---- --:-- AM

Can you explain this in more detail?

I have given the same permissions to both my projects.

What permissions did you configure, on which resources? Can you elaborate? To get this to work, you need to grant appropriate permissions to the service account, for the specific Apigee organization. Did you do that in the Google Cloud IAM panel? Can you show it? What specific role did you grant to the service account in question?

Have you tried invoking the same GET /v1/organizations call from the command line, using a token generated by gcloud ?

Drupal isn't doing anything mysterious. It uses the JSON SA key (the thing you masked out) as the basis to request a new access token. Then attaches the access token to a GET request into apigee.googleapis.com/v1/organizations . The result of that is 403. So clearly a permissions problem. You may be able to troubleshoot this by going through those same steps from your command line. Here's an example for how to get the access token. Then you just need to

 

curl -i -H "Authorization: Bearer $TOKEN" https://apigee.googleapis.com/v1/organizations

 

You should see it fail the same way. Adjust your permissions and then re-check results. When it works, you can retry it in Drupal (and it will work there too)

Posted on --/--/---- --:-- AM
shishir21
Staff
Reply posted on --/--/---- --:-- AM

This doesn't seem to be Apigee Drupal Portal issue,

Check this out, similar issue was discussed here:

https://www.googlecloudcommunity.com/gc/Apigee/Getting-quot-code-quot-403-quot-message-quot-quot-Per...

Hope this may help.

0 Likes

Posted on --/--/---- --:-- AM
shishir21
Staff
Reply posted on --/--/---- --:-- AM

@usama-abacus 
Check https://www.drupal.org/docs/contributed-modules/apigee-edge/configure-the-connection-to-apigee#s-set...
For setting proper service account roles for Drupal.

0 Likes
Top Solution Authors
View all