I've had to download a key for a Google's Firebase service and yet another key for the pub/sub. How am I supposed to reference both keys with the GOOGLE_APPLICATION_CREDENTIALS key word?
Normally you only use one service account that has the required permissions.
Application Default Credentials (ADC) support one and only one service account JSON key file specified by the environment variable GOOGLE_APPLICATION_CREDENTIALS.
When writing code for Google Cloud, the SDK clients support specifying a service account as a parameter. In your example, you will need to create SDK clients using the appropriate credentials (service account JSON key file). The Firebase admin client can use one credential and the Pub/Sub client can use the other credential.
I'm having exactly the same issue. I'm trying to run two different Firestore services on one machine. Each service uses a different Firestore project. As far as I can see, to explicitly authenticate by directly accessing my JSON key file, I need to do something like this:
FirestoreClient client = Use ClientBuilderBase and its property: CredentialsPath
FirestoreDb = FirestoreDb.Create(firestoreProjectId, client);
But as ClientBuilderBase is an abstract class, I'm stumped. Anyone whose got some sample code that does this for real would be a real help.
Cheers
Keith
Related
The requirement is to call other microservices running within the same GCP project using the service name instead of the full service url to get the ID token as mentioned here https://cloud.google.com/run/docs/authenticating/service-to-service.
I see a similar stackoverflow question - Google Cloud Run API - accessing endpoint internally. Here it looked like there was no direct solution from GCP and has been suggested to use runsd - https://github.com/ahmetb/runsd.
Is there something available from GCP now where a cloud run service can call another private cloud run service within the same project using "https://servicename" internally
(or)
Is it still not available and we need to use the complete service url https://--.run.app to get the ID Token and then make the call using the ID Token and the full service url?
I have tried using the full service url and ID Token to make the call. But getting the full url with the projectHash is not something we are looking for. A more uniform approach using the service name for internal call will be more easier from microservice calling perspective.
Since Google Cloud is not offering this yet. You may file a feature request to this link. However, please keep in mind that this will still be under consideration and there is no definite ETA.
You must use the whole service URL, which contains the service name, project hash, and region, together with the ID token, to perform a service-to-service call to another Cloud Run service inside the same project.
The above answer from Christian Paul Andaya is the accepted answer.
Intro:
It is possible to add several types of OAuth credentials to an app (brand) for given project in the google cloud console (gcc) web UI:
Dashboard | APIs & Services | Credentials | OAuth 2.0 Client IDs
+CREATE CREDENTIALS button, OAuth client ID)
followed by a selection of Application type (like web/desktop/iOS/etc...)
It is also possible to create the brand programmatically via the Identity Aware Proxy (IAP) API, method projects.brands.create.
Via that API, it is also possible to create so called IAP Client, which partly corresponds to the mentioned OAuth credential, method projects.brands.identityAwareProxyClients.create. Unfortunately, this results in a credential:
of web application type only,
non-editable (explicitly mentioned in docs, which still might be acceptable),
with no (or unknown) parameters, like e.g. redirect URIs.
First impression of such credential is: it's just useless.
Question:
Is there any API/Method (don't insist on IAP) that would allow replication of the actions available in the gcc web UI? Which means to create OAuth credential of any of the types available and having all the parameters configurable.
I have a requirement for using multiple Google service account belongs to different owners in a multitenant architecture. Right now the problem is i have to keep the file path in an environment variable GOOGLE_APPLICATION_CREDENTIALS and client package use it implicitly.
How can i use multiple files or is there any way by i can initialize the package with id's & tokens like we do genrally with SDK's
from google.cloud import speech
client = speech.SpeechClient() // can we initialize this client with explicit config
responses = client.streaming_recognize(streaming_config, self.get_requests())
Most of the Google Client libraries support specifying which credentials you would like to use. Typically this is the credentials parameter.
Recommendations:
Do not use environment variables for credentials in your use case. Specify the service account to use in your code. Your method uses ADC (Application Default Credentials). When you move or publish your code, you are dependant on the new environment.
Do not manually specify "ids & tokens". A service account JSON key file is formatted to hold credentials.
Create clients manually with all required parameters. Do not rely upon default mechanisms to set up your project/code.
Client for Cloud Speech-to-Text API
The following code is a simple example of using a service account with the Speech to Text API:
from google.oauth2 import service_account
from google.cloud import speech_v1
from google.cloud.speech_v1 import enums
# Specify the required OAuth Scopes
# https://cloud.google.com/speech-to-text/docs/reference/rest/v1/speech/recognize
SCOPES = ["https://www.googleapis.com/auth/cloud-platform"]
# Specify the desired Google Cloud Service Account JSON key file
SERVICE_ACCOUNT_FILE = '/config/service-account.json'
# Create credentials from the service account
cred = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
# Create the Google Cloud Speech to Text Client
client = speech_v1.SpeechClient(credentials=cred)
I have a web app in Google App Engine (with Flask) that needs to ask the user for permissions.
I followed this explanation and it got me working great.
But how do I get the secret_file (or client_config) credentials?
All examples I saw used a local file - but that is not production safe! Is there any way to get it from the application credentials?
I also tried using oauth2client.client.GoogleCredentials.get_application_default() but that seems to be a service account which I can't use.
Creation of web app authorization credentials is discussed here.
Once you are done with the form, client_secret.json file will be generated and is downloadable via the API Console.
There will be a 'Download JSON' button at the right of the OAuth Client credential you created and at the upper part of the page when you click on the Client ID.
From this documentation, it is explained how to construct the authorization request using google-auth-oauthlib.flow module.
In Python, call the from_client_secrets_file method to retrieve the
client ID from a client_secret.json file. (You can also use the
from_client_config method, which passes the client configuration as it
originally appeared in a client secrets file but doesn't access the
file itself.)
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji