I'm trying to build a Bot-as-a-Service platform and I will be using Dialogflow for NLP. One key thing that is giving me headaches is the possibility to create a new Dialogflow agent whenever a user signs up to my service (and therefore configure their FAQs, etc...). From my research I know that each agent is associated with one project, so I must create a project first, but here's the big thing: To create a project I need to authenticate accordingly to Google Cloud Authentication and therefore supply my credentials in case of OAuth2 (I don't want my user's to log in with my user account) and it's not possible to programmatically create API keys for new projects link here
Related
I have an account that is the verified owner for a property listed in the Google Search Console. I'm working to set up API access to it. I have a principal created that has access to each of the Google Cloud projects that I intend to query the data from. I've enabled the Google Search Console API for each of these projects.
After I authenticate the principal via OAuth2 and use the access token (including the 'https://www.googleapis.com/auth/webmasters.readonly' scope) to make a POST request to the query endpoint, I get an error message back that reads in part:
Google Search Console API has not been used in project 256595xxxxxx before or it is disabled
I searched this number in my Google Cloud Console and manually clicked through each of my properties and it doesn't match any of the projects on my account. How do I identify which project this number is referring to and/or how do I change it to point to one of my own Google Cloud properties so I might access its API?
Note: This answer speaks to what it is I'm trying to do (but with Google Search Console API), except that the error doesn't reflect my project ID, so I'm stumped about how to move forward with enabling the API on it.
This didn't take long to solve. After listing all the projects in the Google Cloud CLI per the first half of the instruction here, I was able to identify the project as that which is used as the service principal to do the authentication in the first place (and not actually an account I intend to export any of the data to).
Assume that there is an application, SPA, that uses Google OAuth2.0 to access the Google Drive API.
Reading the docs, the application flow seems familiar enough on the client-side specially with Google's JavaScript library for authentication. However, I have stumbled upon a roadblock during application registration phase.
When creating the credentials for our client application, I am redirected to fill out the form at the OAuth Consent Screen first. There, among other things it demands us to declare whether the application is in Testing or In Production phase, so it can decide whether the app will be available to everyone or to Test Users only.
Assume I create a project for our application and set it on testing at first and then change it to production once I am ready to publish (with a new set of credentials as well).
My question is this. What if development continues on the application for new features while one instance of the app is in production? During development and testing I would need to restrict the application to my Test Users alone. Since the OAuth consent screen is project specific, not credential specific, will I require multiple projects on the console for every environment in which the application is running?
As in,
Project MyAppTesting will permanently remain in testing mode and will denote our development/testing branch.
Project MyAppProduction is always in production and denotes my production branch.
Similarly for the mobile client:
A MyMobileAppDev project having credentials configured with the debug keystore hash
A MyMobileAppProd project having credentials configured with the production keystore hash.
(both sets of credentials share the same package name).
Is this the idiomatic way? I failed to find any documentation on the matter. Please advise.
What #JohnHanley stated is the best way and the best practice when deploying application/s in GCP.
You can create multiple projects and create different Oauth for each of the projects. Check out this link on service accounts.
In addition to that, there are also some pros and cons when it comes to billing.
Pros:
Users consider having multiple billing accounts with respective projects assigned for each account to be able to see their billing details separately. In this way you can monitor the billing for each of the respective projects for each account.
Cons:
Attaching all the projects to one billing account, however, the billing reports will show all of the sum of the cost for all the projects, but you can still use the filter menu to be able to see the charges for each project.
I'm trying to create a Web Application based on create-daml-app and this Web Applications React Typescript will be deployed to Project DABL as well. How can we use the Parties that were been setup on the Project DABL Ledger Settings and be used as a login on the Web Application using React Typescript? Based on the create-daml-app, they are using the link (https://login.projectdabl.com/auth/login?ledgerId=${ledgerId}`) for the login wherein it uses the Project DABL Account.
I know we can download the parties as a json and then be used on the Web Application but can we dynamically used directly the setup that was been done on Project DABL Ledger Settings?
Thanks for future help!
In DABL, the parties you create are mapped to your DABL user account. The first time you join or create a ledger, a party is created in your name automatically, and you have the option of adding more. However, each additional party you add through the console still gets mapped to your particular DABL account.
Interactions with the ledger are authorized by party JWT tokens. The login button & link is essentially a shortcut to allow a user to log in to their DABL account, while automatically supplying the party ID/JWT for that user’s default party back to the deployed web app instance. The web app should store the resulting token and use it when communicating with the API.
If you're creating the additional Alice and Bob parties for the purpose of demoing or testing your application from the viewpoints of different parties, I would add some additional form inputs to the Login component that allow for entering the party ID and JWT directly. These can be copied from the Ledger Settings page in the console. Your React app would simply read the ID/JWT inputs, store them in state, and use them when making API requests in the future. This way you don't need to continually redownload/replace the parties.json file every day.
The Login component for DABL Chat is a good example app you can look at, that handles both the button and this ID/JWT input approach. You can deploy a copy of it onto a new project if you’d like to see how that works, or take a look at the source for a better understanding. Since you’re also using create-daml-app as a template, you will need to do some modifications to add those inputs and hook them into the API calls.
Note that if Alice and Bob are meant to be real production users of the system, then the recommended approach is to have them use the Login with DABL button, so that they join with individual DABL accounts. In this scenario, the parties.json from your Ledger Settings will not even include their JWTs, since you wouldn't have access to credentials belonging to other accounts.
See the DABL documentation on authentication and onboarding for more details.
Is it possible to create a google cloud project without using the console?
I am building a platform where I would like the user to login (say with Google credentials) and once authenticated, the platform should have the ability to create a project in the users account (by virtue of the authentication) via the platform's interface.
If it is possible, can someone provide general directions or approach how this could work. Thanks.
Technically it's possible, as GCP console is calling APIs to their servers to perform server creation, destroy and other actions
I would think of a few steps to achieve it if you want to do it by your own:
1. Choose the API type, e.g. GCloud, Java, Go or any others
2. Scoping what kind of functions you want to expose to users
3. Build the new UI
In fact, you can achieve this by assigning proper IAM role, unless you want to build your own whilte-labeling wrapper
I want to access Google Compute Engine Instances, then I active Google Compute Engine API, but how to retrieve an API key, between server key and browser key, which one should I create ?
If you're using OAuth to authenticate, there're different kind of credentials that you can use, such as web server applications, installed apps, client-sid apps, etc. You need to find out which one you need.
In the Developers Console, you can create the credentials that you might need. At the provided links you can find more information.
There are multiple methods when it comes to authenticate your project to Google API's, You will find the details in page [1] below. Logging to a Compute Engine instance using the UI will use the third method 'Service Account Key' where you don't have to put any action as by default it will use your Compute Engine default service account.
[1] https://cloud.google.com/docs/authentication/api-keys#creating_an_api_key