I'm building an appengine app that requires access to the Google Play Developer API. I've seen in the sample code that it's possible to authenticate using a service account in addition to Oauth.
Is there any chance this could work with the default service account without having to generate a json key ? That would make the setup a bit easier.
Edit: be more explicit about not using a json key but really using the default application credentials instead.
For App Engine Standard environment:
You can generate a Service Account key file from default service
account. Follow the link sample code you provided, then click on
the link shown in the "Getting Started" section, you'll get in
the Google Developer Console. If logged in with the correct account
(you should see your project name at the top), then go to Credentials
-> Create credentials -> Service Account key. In the service account dropdown list, choose "App Engine Default Service Account", choose
JSON as key type and you should be good to go to follow the last
instructions on the Github page.
For App Engine Flexible environment:
The default service account isn't listed in the Service Account page, as explained here. You can't generate a service account key with it. You'd need to use a custom service account.
Related
I am trying to find a way to access Secret Manager Version (Service accountkey file) into an App hosted On-Premise. This link has an example on how to access it through C# via secret manager client API but the problem here is it requires having an ADC which is not possible on those servers.
I couldn't find anywhere but does SecretManager Client API supports API Key ? if not what all options I have ?
Also there is Workload Identity Federation service but there is no .net Client API's available
//Uses ADC
SecretManagerServiceClient client = SecretManagerServiceClient.Create();
Also there is a SecretManagerServiceClientBuilder but there is no documentation on how it can be used
To use ADC, you don't need to install gcloud SDK on your servers (answer to your comment). You need to set en environment variable GOOGLE_APPLICATION_CREDENTIALS with the absolute path to the service account key file as value. That's all, the library will automatically detect this env var and use the file as credential.
If you don't put this file, and if your app doesn't run on Google Cloud, the libraries look into the "well-known location". This location is the standard location of the user credential file created with the command google auth application-default login.
If you have read carefully, the ADC with the env var use a service account credential, and the well known location use a user credential. You use user credential in your personal computer/workstation. In production and on app, you use "app identity", a "service identity", therefore a service account.
Service account key file are made for that: provide a service identity to app running outside GCP and authenticate it to interact with GCP. However, this file contain a secret, and you need to secure it cautiously, and to rotate the file as soon as you can in your process.
I've read much documentation but all of them require me to oauth2 tokens or set environment variables to a json file that contains my credentials... That's nice when I run this locally, but how would I run this in the cloud? Such as firebase functions?
There is an example to cap billing on the public docs. Notice that you'll need to assign the Billing Account Administrator role to the runtime service account (generally the App Engine's default service account, but you can change that) for your Cloud Functions for it to work. As using the client libraries will handle the authentication and authorization automatically based on the permissions assigned to that particular service account.
Using Google Cloud, there exists a BigQuery View table that queries two projects.
However, on the project where the view is located, we wish to run a query against it from Airflow/Composer. Currently it fails with a 403.
AFAIK it will use the default composer service account - however it doesn't have access to the 2nd project used in the sql of the view.
How do I give composer's service account access to the second project?
Think about a service account like a user account: you have a user email that you authorize on different project and component. Exactly the same thing with the service account email.
The service account belongs to a project. An user account belongs to a domain name/organisation. No real difference at the end.
So, you can use a service account email like any user accounts:
Grant authorization in any project
Add it in Google Groups
Even grant it viewer or editor role on GSuite document (Sheet, Docs, Slides,...) to allow it to access and to read/update these document!! Like any users!
EDIT
With Airflow, you can defined connexions and a default connexion. You can use this connexion in your DAG and thus use the service account that you want.
I think you have to add the service account into project IAM.
I am aiming to do a pythonic automated Google Cloud project manager. Just testing a bunch of models of Tensorflow and stuff. Even when I can fully access training, deploying and testing models inside a project, I can't mke any new projects since I am authenticated with a service account through:
google.oauth2.service_account.Credentials.from_service_account_file("thisisakey.json")
But as far as I understand, services account are project-binded so it's perfectly correct that creating a new project with it raises an error. In fact it does:
googleapiclient.discovery.build("cloudresourcemanager", "v1", cache_discovery=False)
Falis with:
Service accounts cannot create project without a parent.
So either creating/finding a "parent" for this project or log in a more "powerful" account could solve this. But I can't figure them out. Are there any other credential types to download and embed into python? Can I create a project from python? Everything I've checked about this is at least 2 years old and seems to be very outdated (back then projects were just not possible to create via APIs)
Update:
I've tried creating a project using the "parent" flag on the project's body, on the Organization made from the corp I work on. and even when this service account has "Owner" and "Organization Administrator" roles the create requests fails with:
Encountered 403 Forbidden with reason "forbidden"
User is not authorized.
So the problem persists.
You can assign privileges to Service Accounts to do just about anything in Google Cloud. You have hit one of just a few that you cannot.
The problem is that your project is not part of an Organization (you have no parent). Your solution is to either setup Organizations or create your projects via the Google Cloud Console. Note: I do not recommend creating projects via software. You also need to setup billing in order to do anything useful.
There are two types of credentials with Google Cloud: User Credentials and Service Account Credentials. You cannot embed User Account Credentials into an application. User Account Credentials are created interactively as part of a login / authentication process using OAuth 2.0.
There are other types of access to cloud services such as API Keys, but these do not apply to your issue.
Quickstart Using Organizations
I volunteer at a small local school that teaches data science and I'm trying to understand the procedure behind federated logins, but the Amazon documentation isn't helping and their forums don't seem interested.
We'd like for the students to be able to sign in to our AWS environment using either Facebook, Google, or Amazon.com, instead of manually trying to create a user for everyone who signs up.
The main thing that's unclear is how the students should sign in. Do we need to create a custom webpage using the provided javascript or .net code? We would have to contact our web developer if so. Or do we use the provided domain name? (in this case, https://weclouddata.auth.us-east-1.amazoncognito.com) This comes from the Cognito user pools though, and doesn't seem like it would apply. Besides, when I use it in conjunction with the Google client ID, I get an "invalid request" error.
You can create a custom app "Identity Broker" to create a URL that lets users sign in with Facebook/Google credentials and securely access the AWS Management Console. The broker would perform the following steps:
Verify that the user is authenticated by identity system(Facebook or Google) or use AWS Congnito.
Call the AWS Security Token Service (AWS STS) API operations to obtain temporary security credentials for the user.
Construct a URL for the console that includes the token and redirects the user to the URL on the user's behalf.
Amazon Cognito lets you to easily create customizable UI to sign in users and provides built-in federation with Facebook, Google, Login with Amazon. So you don't have worry about authentication and concentrate building your actual logic(above steps)
Here is a sample app from AWS that shows how to implement a single sign-on solution with C# and windows AD.
Python Code:
Here is the python code on how to construct the console login URL. I have used the sample python code from AWS and 'Hello world' flask app. When you hit the URL it should redirect to the console login, you can set permission using IAM role.
You can provide any login mechanism (Facebook, Google, Amazon etc) to create student account first time.
Ask user to create account using any app login (Facebook, Google, Amazon etc)
On successful login, create user in AWS using https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html API.
Add newly created user in the group https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html
You can create the user group with some specified roles and give permission (Launch EC2 Instances, Access to DynamoDB etc) accordingly.