During migration of webapp( which used Google API) from old server to a new one we faced a problem that part of dynamic content dissapered, it was a content which was generated using Google API. In our case the key was linked to IP-addresses of the servers where the app works. So first of all we checked all key access rules, but all was fine there, IP-address of the new server had access to the key.
Then I decided to check request with CURL:
# curl -i -G -d “regionCode=US&part=snippet&key=<My-API-Key>” https://www.googleapis.com/youtube/v3/videoCategories
And Google answered me with an error HTTP/1.1 403 Forbidden:
{
“error”: {
“errors”: [
{
“domain”: “usageLimits”,
“reason”: “ipRefererBlocked”,
“message”: “The calling IP address xxx.yyy.zzz.xxx does not match the IP restrictions configured on the API key. Please use the API Console to update your key restrictions.”,
“extendedHelp”: “https://console.developers.google.com/apis/credentials?project=xxxxxxxxxxxx”
}
],
“code”: 403,
“message”: “The calling IP address xxx.yyy.zzz.xxx does not match the IP restrictions configured on the API key. Please use the API Console to update your key restrictions.”
}
}
I was surprised again because it says that new IP-address doesn’t have access to the api key, but I’ve just checked it on Google API console and see that it does have access.
After several unsuccessful retries of disabling/enabling access to the key from new IP address I decided to inspect the traffic deeper and check the source and destination of TCP packet and what is being sent in this packet. And after running tcpdump I finally found out source of the problem: new server was sending requests to Google server using Google’s IPv6 server’s IP address because my server had IPv6 enabled. But I have enabled key access by server’s IPv4 IP address.
Then I’ve just disabled IPv6 on the new server as long we had no plans for using it. And finally Google API access problem was solved.