I am new user to GCP. I starting to implement an application that is going to use GCP API. In order to authenticate to API I've created service account and stored it in file.
In official documentation it is written that auth file can be assigned to environment variable: GOOGLE_APPLICATION_CREDENTIALS
I would like to make a request to google API from my http client (let's say Postman) and to use this file for authentication.
Is it possible at all or I suppose to use GCP client in order to make HTTP requests?
Yes, you can create an authenticate API key, and use that API key to call GCP API. Here is the doc for Creating and Using API key.
Also, you need to be careful not to expose your API keys to the public, like Github. Because we have seen many people just write their API key directly in the code and expose to the public.
As you said, you would like to use the API key in HTTP request, maybe you should add restrictions to your keys.
Here are some best practices that Google provided, hope this helps!
Related
I would like to store files on Google Cloud Storage and give devices access to the files via GET HTTP with basic authentication using username and password or something similar. Can this be done?
I will ask you a question to introduce my answer:
If you set a login/password in the basic authentication, which system will validate them?
Cloud Storage relies only on OAuth token. Nothing built-in, you have to build your custom authentication mechanism.
So, you need an additional service that check the credential and then provide a link to download the file.
I recommend you to
Create a serverless service, such as a Cloud Functions or a Cloud Run services
Perform a GET on it with your basic authentication to this service
The service check the authentication, you can use firestore database to store the credential/permissions/autorisations of the connected user
If the auth is OK, create a signed URL and return it with a 302 HTTP code (redirect)
Currently, I am testing Google Cloud's Speech API and wondering how to pass dynamic Google Cloud API key to client app from server.
The speech function will be on client's app (React Native). Before every request to Google Cloud API or session, I am thinking to generate API key dynamically from server side (Nodejs) with a short lifetime and pass to client side. Only then, clients can use the Google service.
The main concern is that I do not want to embed Google Cloud API key on client app and I want to have control on which client can / cannot use the service. Is there a way to dynamically generate API keys on server side with short lifetime and pass to client? Thanks.
Update:
I was checking https://github.com/GoogleCloudPlatform/android-docs-samples/tree/master/speech/Speech and found the suggestion:
This Android app uses JSON credential file locally stored in the resources. You should not do this in your production app. Instead, you should set up your own backend server that authenticates app users. The server should delegate API calls from your client app. This way, you can enforce usage quota per user. Alternatively, you should get the access token on the server side, and supply client app with it. The access token will expire in a short while.
This is exactly what I want to do but can anyone suggest how can I achieve this? Thanks.
I am trying to find out how to get the API key for Step 2 on server backend side.
Never store credentials in users' browsers, luckily you are trying to adhere to this principle!
A setup that might be useful here has the following components:
Use an authentication mechanism in your client-side app, by means of an identity provider. You could use Okta, Auth0, Cognito, or any other authentication provider which supports Oauth2.
Use the same authentication provider to secure a custom-build endpoint, which could be a Google Cloud Function. This could be combined with Cloud Endpoints, but not necessarily.
In the same Cloud Function, after a user's identity is checked, you call the speech API.
The API key could be stored as a secret in Google Secret Manager.
The Cloud Function acts as a "serving hatch" to the API, passing back and forth requests from a user to the Google Cloud Speech API.
Your API key remains on the backend, stored as a secret. Users that are not authenticated using the authentication provider, will never have access to the Speech API.
We are developing an API which is intended to be used by our external clients which are not inside Google Cloud.
It seems that Google Cloud Endpoints is a good candidate for such case.
What we need:
Client to be able to register in our "developer portal" to obtain necessary credentials.
To keep track of our clients (to see the number of requests of a particular client, to revoke his access to API, etc.)
The part which is not very clear to me is how to authenticate and identify our clients if they are not in Google Cloud.
We already use Firebase authentication by user email in one part or our application. It would be handy to continue using that authentication, but I am not quite understand how.
Google docs say that client application must send a JWT token. But what private key does it have to use to sign the JWT?
The second option to authenticate client we are thinking of is to use custom method to authenticate users. But I have the same question: What private key does the client application have to use to sign the JWT?
Is it intended that client generates its' own key pair?
If there are some better options for our use-case or if I am missing something, feel free to point me in the right direction.
You are on the right way!
With firebase, the JS library allow you to authenticate to the correct identity provider and the lib also allows you to generate a JWT. No private key needed here!
With custom method, it's different. Cloud Endpoint need to validate the signature of the JWT. For this, Cloud Endpoint need to know the public key of the private key used to sign the JWT. Most of time, it's provided by your own IdP system.
In your context, Firebase auth (or Cloud Identity Platform, if you want to manage your users on Google Cloud) is the best solution for you. With several customers, you can't register all their public keys, the only one solution is to have your own IdP and all your customer registered on it.
I have additional question: How do you plan to count the number of request per client? Through Cloud Endpoint or you own database?
We came up with a solution using custom method to authenticate users:
We implemented user authentication by email using firebase (as stated in my question).
Added a way for users to upload their public certificate to our "portal".
2.1. This was done using Google Cloud functions. Basically, we created a two endpoints:
2.1.1. to upload public certificate using firebase token.
2.1.2. to display all public certificates in JWKS format by some url (this way google is able to verify users JWT signature)
Published an instruction for users on how to form JWT to use our API (at this point every user have to have private key associated with their public key uploaded earlier).
Now users of our API are able to make API calls with JWT token provided.
Our technologies stack looks like following:
Cloud functions (for certificate handling).
Firestore (for authentication, storing certificates etc.).
Cloud Endpoints with ESPv2
Google App Engine standard environment
Is it possible to create google API KEY programmatically?
I did see the above question but I wanted to verify its functionality for my use case. I have a REST api deployed to Google App Engine that I want to introduce some api key mechanism for external users. I'm not making a website where I would just be trying to make sure it's only my code talking to my code from front-end to back-end, it's a public api that anyone with valid credentials is able to access.
Google Cloud Endpoints will only authenticate api keys generated through GCP, so my thinking goes that if it's possible to create a service account and associated ServiceAccountKey via http request, then it could be plausible to generate api keys (service account keys) for any prospective user by generating a service account per user and then giving them the relevant private key that will allow them to authenticate through Cloud Endpoints (jwt signing?).
It sounds like a good plan to me but in all likelihood I'm missing something that makes this a terrible idea. Thoughts? Has this been done before/proven?
TL;DR: Wrong way
First, API Key on GCP can only authenticate GCP Project, not user or service account.
Then, a service account key file is not an API Key. It's a secret identity that you can use for generating an OAuth2 JWT token (identity token) according with the Oauth2 flow. This identity token can be provided for an authentication (and it's valid only 1H)
In addition, you are limited to 100 service accounts per project, and the meaning of a service account is to authenticate app, not user. If you want to authenticate user, I recommend you to have a look to Cloud Identity Platform
Finally, API key generation has evolved very recently (about 1 month) and .... I would like to find the doc again, but it's a dead link. Maybe that the beta is not ready yet.
Note: Maybe the answer that I performed here (just now) can help you?
We want to provide our API services through the Gcloud Endpoints. Our customers have to generate an API key in order to integrate our API into their project.
Is there a way to generate the Gcloud api key via an interface? How can I assign rights for an api key via an Gcloud-API?
Unfortunately, GCP currently has no API for programmatic provisioning / access of API Keys.
As mentioned by Andrew, currently it’s not possible to create or manage API keys programmatic or using gcloud, but there’s a request to add this functionality, you can track the progress of this request or post your comments on it, but keep in mind that there's no ETA or guarantee that it will be implemented.