I create a service account in Google Cloud platform. This service account has an email.
Is there any way I can login in the web portal of drive.google.com as this service account and see the files it owns or created?
The portal uses OAuth to authenticate and stores the Access Token within a cookie which includes session information. The portal has no method to use a service account. You will need to use the REST API or one of the SDKs to use a service account.
Related
I wanted to know if GCP supports multi-factor authentication (MFA) or 2-Step Verification (2SV) for cloud API calls.
From this link: https://cloud.google.com/docs/authentication, I read the following:
"Google Cloud APIs only accept requests from registered applications, which are uniquely identifiable applications that present a credential at the time of the request. Requests from anonymous applications are rejected.
Application credentials provide the required information about the caller making a request to a Google Cloud API. Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys."
However, it does not specify if I can use these factors simultaneously.
Thanks in advance,
Vijay
What could be an alternative to custom federation broker on aws in azure and google. In AWS I am able to create a url that permits federated user to login and access resources like this -
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
How we could create the same in azure and google?
This answer covers Google Cloud Platform.
The basic foundational identity for Google Cloud (GCP) is Google Accounts. This means that the users are required to have a Google Identity before you can setup federation / SSO. GCP IAM permissions are assigned to email addresses (User, Service Account, G-Suite Group, etc.).
Where AWS requires a custom URL for SSO, Google implements OAuth. This means once authenticated, users can just use Google services without needing special URL entry points. In this respect Google's SSO is smoother for end users.
GCP supports SAML 2.0 SSO. Google acts as the service provider and the third party (AD, Okta, etc.) act as the Identity Provider. This requires you to setup Google Cloud Identity.
I went thru this process and just like AWS, it can be complicated. One item to think about. Do you plan to use GCP as your primary cloud plaform or one of the other vendors. The reason is that if GCP is your primary platform, then everything will be a lot easier if you also implement G Suite first. However, if you are a Microsoft shop where you want Active Directory to be your Identity Provider, then SAML is the implementation path. Just be prepared that you will need to setup directory synchronization (connectors). Google has a good connector for Azure Active Directory. This video provides a good introduction to extending Active Directory to GCP IAM.
This article will take you step by step thru setting up the correct Google services, SAML SSO, setting up Identity Providers, etc.
Using your existing identity management system with Google Cloud Platform
Additional Reading:
Google Cloud Identity
Setup SSO
Set up your own custom SAML application
I have created a service account on Google Cloud Platform. I am using a standalone Java program which uses GCP Java Client API to get the Authentication Token ID by taking service account JSON file. By using the Token ID, I can create a compute instance.
I don't want to use Java API or gcloud tool, is there a REST API exists which takes required details and return Token ID?
I went through the GCP documentation and could not find any details for the authentication and authorization through REST using Service Account.
I have created a service account on Google Cloud Platform. I am using
a standalone Java program which uses GCP Java Client API to get the
Authentication Token ID by taking service account JSON file. By using
the Token ID, I can create a compute instance.
Using a service account is the correct and recommended method to authenticate and authorize software applications.
Note. The assumption here is that the software application is running on your systems under your control. If instead you are installing software on a user's desktop or system not under your control, then you would use Google OAuth 2.0 (Google Accounts) to obtain User Credentials to authorize your application.
Another method is to issue short-lived temporary credentials from a service account credential that are time limited. These short-lived credentials are created on your server and then handed to the client.
I don't want to use Java API or gcloud tool, is there a REST API
exists which takes required details and return Token ID?
You have the classic "Chicken or Egg" situation. You need credentials to authenticate and authorize otherwise anyone could create credentials. Google Service Account credentials provides this. To create service account credentials, use the Google Cloud Console or gcloud CLI to download the service account Json file.
I went through the GCP documentation and could not find any details
for the authentication and authorization through REST using Service
Account.
This question is confusing. Do you want to use Service Account credentials to authorize your Google API calls OR do you want to call a Google API to obtain credentials?
In the first case, once you create service account credentials, they are used to authorize your API calls. You add the Access Token to the HTTP header when making API calls.
For the second case, use Google OAuth 2.0 to obtain credentials. Google OAuth 2.0 uses Google Accounts for authentication. This method provides you with an Access Token (just like a service account) and a Refresh Token and Client ID token. You will need to add the Google Accounts user identity to your Google Cloud IAM which provides for authorization (privileges).
I am trying to use google service account for web apps.
Problem.
How I can authorize service account clientid in other domain using admin oauth2.
I am not able to find any doc which refers to this problem.
I can ask an admin to do it manually but I want to avoid manual authorization.
Thanks in advance.
I have a backend that is serving android clients, authenticating them with IdToken sent from the android app.
Now, I need to authenticate a service running on aws that is using my apis. So I figured a service account would do the trick, using the private pem file to create a IdToken and send it along just as the android clients do. But I find no way of obtaining an IdToken with these credentials. Is this possible (preferrably in nodejs).
Or am I on the wrong path here?
I know this is older, but I found this question and it didn't lead me to the answer I ended up with.
I followed the guide in https://cloud.google.com/endpoints/docs/openapi/service-account-authentication#using_a_google_id_token with some mix of https://cloud.google.com/iap/docs/authentication-howto, which mentioned that the key to this was to include a target_audience claim in the generated JWT.
So, essentially I made a JWT that looked like:
{
"exp": 1547576771,
"iat": 1547575906,
"aud":"https://www.googleapis.com/oauth2/v4/token",
"target_audience": "https://example.com/",
"iss": EMAIL OF SERVICE ACCOUNT
}
and posted that to https://www.googleapis.com/oauth2/v4/token with params grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer and assertion=<THE JWT>
Without target_audience the endpoint gave me an access token, but with it I got an id_token instead.
Grettings since 2020
I had problems in Java for take ID_TOKEN of a Google Service Account. My project had two years and i were using GoogleCredentials, fromStream method and a JSON credential, but this class didn't gave me ID_TOKEN, only access_token on a not JWT format.
I solved because on this years Google updated here java code for authentication, for take ID_TOKEN you must use this library https://github.com/googleapis/google-auth-library-java
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-credentials</artifactId>
<version>0.20.0</version>
</dependency>
And then use ServiceAccountCredential
String credPath = "/path/to/svc_account.json";
ServiceAccountCredentials sourceCredentials = ServiceAccountCredentials
.fromStream(new FileInputStream(credPath));
When you create this class, itself will authenticate with google and have a access_token,refreshToken...
For extract ID_TOKEN you must use this function:
String audience = "http://localhost"; //Your server domain
IdToken idToken = credential.idTokenWithAudience(audience, new ArrayList<IdTokenProvider.Option>());
String id_token = idToken.getTokenValue();
And with this you have a JWT token.
I hope this help people like me,that are trying get ID_TOKEN.
You cannot use service accounts generated for Google Cloud APIs to directly authenticate against your own APIs. How will you know which service account private keys are valid and which have been revoked? Google does not expose this information.
Service accounts are rather meant for delegation of credentials. When you access Google Cloud platform service, you will be authenticating with your google account credentials. You will not want to provision the very same credentials everywhere your running code needs to access any of the Google cloud services (i.e. Cloud APIs). Instead you create service accounts whose scope can be reduced to a subset of the scope of your google account credentials. This way a particular piece of code can be limited to only a few set of APIs.
Service Accounts
A service account is a special account that can be used by services
and applications running on your Google Compute Engine instance to
interact with other Google Cloud Platform APIs. Applications can use
service account credentials to authorize themselves to a set of APIs
and perform actions within the permissions granted to the service
account and virtual machine instance.
What are service accounts?
Service accounts authenticate applications running on your virtual
machine instances to other Google Cloud Platform services. For
example, if you write an application that reads and writes files on
Google Cloud Storage, it must first authenticate to the Google Cloud
Storage API. You can create a service account and grant the service
account access to the Cloud Storage API. Then, you would update your
application code to pass the service account credentials to the Cloud
Storage API. In this way, your application authenticates seamlessly to
the API without embedding any secret keys or user credentials in your
instance, image, or application code.
I know where your confusion stems, it is because service account also have the same OAuth model you are used to.
You can use service accounts to get access tokens and refresh them as needed, but the scope of authentication is at the very maximum limited to the surface of the Google Cloud APIs. You will not be able to mix and match your APIs with that.
Alternative is to either build your own authentication model (which is not so clear from your question when you say authenticating them with IdToken sent from the android app) or rely on something like Cloud endpoints which you create and manage APIs along with API keys for authentication.
As you already mentioned in one of your comments, you can follow the Service-to-Service authentication guide which describes how you can use Google Cloud Service accounts to authenticate with your APIs running on Google Cloud Endpoint.
It supports using Google ID JWT tokens. The caller will have to send the JWT to Google Token endpoints to obtain a Google ID token and then use this Google ID token in all of your requests. This approach also has the advantage that you only have to whitelist the Google ID token server in your API configuration.