Error setting up authorization using G Suite [solved]


#1

I’m setting up authorization in Spinnaker against G Suite according to these guides: https://www.spinnaker.io/setup/security/authorization/ but getting this error in the logs of Fiat:

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
  "code" : 403,
  "errors" : [ {
    "domain" : "global",
    "message" : "Not Authorized to access this resource/api",
    "reason" : "forbidden"
  } ],
  "message" : "Not Authorized to access this resource/api"
}

The service account configured in Fiat does have Domain wide Delegation and has admin.directory.group.readonly assigned.

Does anyone have any ideas why it happens?

Update: created the issue with some screenshots since I cannot post them at this forum: https://github.com/spinnaker/spinnaker/issues/2504


#2

@Stephen_Chen


#3

Hi wheleph, did you correctly configure the admin address / domain? Just checking that it should be an admin account that you can use to log into G Suite Admin console, not the service account.


#5

@Stephen_Chen yes, I think so. Here’re the screenshots of my setup:
36965238-ba71451e-2061-11e8-8f3e-bbf19c2444b3


#6

Another screenshot:


#7

@wheleph Ah, sorry I meant the halyard configuration. Your service account access looks correct.

hal config security authz google edit \
    --admin-username $ADMIN \
    --credential-path $CREDENTIALS \
    --domain $DOMAIN

Just double checking that $ADMIN is the account you logged into your G Suite Admin console, not spinnaker-fiat@bolcom-pro-spinnaker-f28.iam.gserviceaccount.com.


#8

Thank you @Stephen_Chen it think that is it.

I put spinnaker-fiat@bolcom-pro-spinnaker-f28.iam.gserviceaccount.com as admin username.

I’ll fix it and post an update here.


#9

I’m trying to verify my setup with a proper account but I run into another issues: Enabling Fiat . Does someone have an idea about that one?


#10

The issue is solved according to suggestion of @Stephen_Chen