LinkedIn
Twitter
I have been trying for the last 3 days to enable in-app purchases through a 3rd party service provider. Or two. I tried RevenueCat and Adapty. The instructions are the same for both.
I was able to connect to RevenueCat via their instructions back when I had a personal developer account. Then I made a business account, transferred my app to it, followed the exact same instructions. It worked for a minute, and then became invalid a few minutes later. Then I tried Adapty, and it would not work at all.
I looked into the GCP logs and found this error message, in the below json: One or more users named in the policy do not belong to a permitted customer.
I am aware there is a wait, which I waited, and also a hack to speed it up, which I tried without luck. In the case of the hack, the error message was different (The current user has insufficient permissions to perform the requested operation.), so I think it's a different issue. I have also tried:
changing my role in the organization and the project and creating a new service account with the additional roles:
comparing the creation event log back from when it worked, to the one now. There was no difference
- I was able to connect bitrise via browser role with no problem
This is from the activity log:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 9,
"message": "One or more users named in the policy do not belong to a permitted customer." // <== 🔴
},
"authenticationInfo": {
"principalEmail": "SERVICE_ACCOUNT_FOR_ADAPTY.iam.gserviceaccount.com",
"serviceAccountKeyName": "//iam.googleapis.com/projects/ABCDE-FGHIJ-######/serviceAccounts/SERVICE_ACCOUNT_FOR_ADAPTY.iam.gserviceaccount.com/keys/######################",
"principalSubject": "serviceAccount:SERVICE_ACCOUNT_FOR_ADAPTY.iam.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "##.###.###.#",
"callerSuppliedUserAgent": "(gzip),gzip(gfe)",
"requestAttributes": {
"time": "2024-04-15T20:00:08.543016640Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "pubsub.googleapis.com",
"methodName": "google.iam.v1.IAMPolicy.SetIamPolicy",
"authorizationInfo": [
{
"resource": "projects/ABCDE-FGHIJ-######/topics/adapty-prod-########-####-####-####-############",
"permission": "pubsub.topics.setIamPolicy",
"granted": true,
"resourceAttributes": {},
"permissionType": "ADMIN_WRITE"
}
],
"resourceName": "projects/ABCDE-FGHIJ-######/topics/adapty-prod-########-####-####-####-############",
"request": {
"resource": "projects/ABCDE-FGHIJ-######/topics/adapty-prod-########-####-####-####-############",
"@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest",
"policy": {
"bindings": [
{
"role": "roles/pubsub.publisher",
"members": [
"serviceAccount:google-play-developer-notifications@system.gserviceaccount.com"
]
}
]
}
}
},
"insertId": "ABCD1234",
"resource": {
"type": "pubsub_topic",
"labels": {
"project_id": "ABCDE-FGHIJ-######",
"topic_id": "projects/ABCDE-FGHIJ-######/topics/adapty-prod-########-####-####-####-############e"
}
},
"timestamp": "2024-04-15T20:00:08.534124734Z",
"severity": "ERROR", // <== 🔴
"logName": "projects/ABCDE-FGHIJ-######/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2024-04-15T20:00:09.575442323Z"
}
And this is from Google Play Console logs. I think I have tried setting just Account Permissions, and that didn't make a difference either.
I have some insane time pressure right now and this thing is making me freak out. Any help for figuring this out would be greatly appreciated. Greatly greatly appreciated.
Quick edit. I see that the old notification topic was transferred along with my app to the business account. I deleted it, disabled notifications, will disable pub/sub and dev real time notifications apis, then try the whole process again, and maybe that will help...
A day later I can sort of answer my own question. It is not a direct answer, but one that got to the solution and might give other total newbies like me a sense of how to go about figuring it out when there is nobody who can help.
"Solution"
When I created a new project under my organization, the project inherited a bunch of properties that my organization either came with, or that I accidentally set before I realized I could just skip the Google Cloud Setup page. I don't think I set them explicitly, they probably got set accepting some of the recommended defaults.
To solve the problem, I searched this screen:
And made these changes:
- I changed all of these settings from 'Inherit parent's policy' to 'Google-managed default'. The ones I think matter were probably the 'Domain restricted sharing' and 'Domain restricted contacts', but I also reverted anything that looked like it had to do with service accounts. You can filter and search.
- Set 'Domain Restricted Sharing to 'allow all' temporarily, and then set to 'Google-managed default' at the end. I only mention this because changing that setting to allow all is right about when Adapty service was able to connect.
I changed all of these settings from 'Inherit parent's policy' to 'Google-managed default'. The ones I think matter were probably the 'Domain restricted sharing' and 'Domain restricted contacts', but I also reverted anything that looked like it had to do with service accounts. You can filter and search. Set 'Domain Restricted Sharing to 'allow all' temporarily, and then set to 'Google-managed default' at the end. I only mention this because changing that setting to allow all is right about when Adapty service was able to connect.
You probably have to give yourself one of the Policy Admin roles you see in my first screenshot to make these changes.
Helping yourself knowing nothing
Because I just care about my app, Google Cloud was just this black box in my head. A set of procedures I had to follow to get to publication. But apparently that's not good enough. You need to understand what it's there for and it's role in connecting to 3rd party services. The first step was to think about that for a few minutes.
From there, the reasoning that got me to a solution was that the google defaults were probably what existed when I originally set up my own personal GPC account, and connected to my personal Google Play dev account. When I kept seeing "inherited", then that there were "google defaults" that differed, I switched the settings that I thought mattered, assuming the defaults were probably set so developers wouldn't have to do a bunch of unnecessary admin tasks in order to link an app to the app store.
Logs be thy guide
The other thing that helped are the logs. A day and a half into this, I tried connecting and reconnecting API's. Then I noticed that every single thing you do on google cloud triggers an API, which is logged, and that there is an option to see the log attached to a lot of tasks. Same on Google Play console. So you can look up each of those API calls that relate to what you are doing, see if they succeeded or not, and read the error message.
I should also say, I got out of using the Searchbox in the past, because they never seem to return the results I want. Even some of google services, it seemed worthless. If it was ever true on Google Cloud, it's not true anymore. Once I started using it a lot, things went quicker.
Last note
Remember my situation is I moved my app on Google Play Console to a business account I created. I did this because I formed an LLC to sell my app under, and you need to treat your business like a business to get the limited liability protection. That means creating a business account separate from my personal ones and migrating.
But I also created a Google Workspace for my business entity, so when I went to Google Cloud after migrating my app on Google Play Console, google automatically created an organization for me.
If this is your situation too, my suggestion is don't mess with Google Cloud onboarding for the org that google creates for you. Leave it, but make sure a new projects you create under it for your apps are using the Google defaults. If the properties show up as inherited, make sure that means they still map to the google defaults and aren't different because of something you did, or that was set in the parent org when Google created it.
