4

I'm getting the following error when using the Google Storage JSON API:

$ curl -v 'https://www.googleapis.com/storage/v1/b/MY-BUCKET/o?key=MY_API_KEY'
* Hostname was NOT found in DNS cache
*   Trying 64.233.186.95...
* Connected to www.googleapis.com (64.233.186.95) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.storage.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /storage/v1/b/MY-BUCKET/o?key=MY_API_KEY HTTP/1.1
> User-Agent: curl/7.37.1
> Host: www.googleapis.com
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Vary: X-Origin
< Content-Type: application/json; charset=UTF-8
< Date: Tue, 31 Mar 2015 16:57:40 GMT
< Expires: Tue, 31 Mar 2015 16:57:40 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
* Server GSE is not blacklisted
< Server: GSE
< Alternate-Protocol: 443:quic,p=0.5
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
< 
{
 "error": {
  "errors": [
   {
    "domain": "usageLimits",
    "reason": "ipRefererBlocked",
    "message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
    "extendedHelp": "https://console.developers.google.com"
   }
  ],
  "code": 403,
  "message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed."
 }
}

But everything seems configured correctly. The key I'm using is listed as allowing any IP:

API Key configuration

The APIs themselves are active:

APIs Enabled

And the project has billing information correctly configured:

Correctly configured billing

I've tried enabling and disabling the APIs and refreshing the billing info. Nothing is helping. What are the next steps? Try AWS?

Edu Felipe
  • 10,197
  • 13
  • 44
  • 41
  • What IP address are you connecting from? – jterrace Apr 01 '15 at 02:01
  • I tried to reproduce your issue but so far I haven't been able. Try by removing the API key and generating a new one. Also if it's possible, try from a diferent IP. – Layo Apr 07 '15 at 15:47
  • I wasn't able to reproduce the issue either. I did noticed that there were some cases on Stackoverflow for people having the same issue with Google Calendar API and Youtube API. What fixed the issue them was: -delete the server key from the credentials pane -deactivate/reactivate APIs needed -create new server key One problem I was running into was error 401 Authorization. To get around that, I ran gsutil acl set public-read gs://MY-BUCKET/ – vaqars Apr 24 '15 at 22:22
  • Were you able to find a solution to this issue? – Adam Mar 19 '16 at 23:07
  • Hi Adam, I just answered the question myself ;) – Edu Felipe Mar 20 '16 at 13:40

1 Answers1

1

For posterity here is what happened:

I spun a different VM in the same datacenter (Linode in Newark/NJ) and it worked perfectly, so the problem seemed not be my key, but my IP itself.

In order to get to the bottom of this I had to pay Google Cloud US$ 150.00 so they could let me open a support ticket and describe the issue.

I spend the next two days arguing with a support staffer that – while being very polite – always assumed the error was in my end instead of theirs.

After writing a 6000 character reply with super specific details he finally decided to check with someone and found out my IP had been blocked by a Google traffic automation system because it erroneously detected that my IP came from a restricted country (Iran).

Given that the VM was in New Jersey – and it was very easy to see that through traceroute – they told me they would have to manually overwrite the system and place my IP back in the US. This would take three days, so I waited.

Three days later I got an email telling me to test everything, and so I did. It didn't work. After another couple of emails and waiting another day they finally fixed it.

The cherry on top of this whole mess was having a Google Support staffer accuse my company of doing business with restricted countries and acting as a proxy to traffic coming from Iran. That was preposterous and it really offended us, because even after making a mistake they still wanted to blame us for doing nothing wrong.

We told two engineers to turn that VM backwards and see if they could find any evidence of that it had been hacked and of course they couldn't. It was a fully patched Ubuntu 14.04 server that one could only SSH through ones private key and remote root login was disabled.

And this is how the tale ends, folks. Spending US$ 150.00 to notify Google of their own mistake and having to fight your way to the solution.

Oh, and one more thing: we're migrating to AWS.

Edu Felipe
  • 10,197
  • 13
  • 44
  • 41