Because Google AutoML does not have a golang client, I have to use the AutoML http client. To do so, requires an auth token from google which comes from running the following cli command:
gcloud auth application-default print-access-token
I am currently authing my Golang server with a credentials json file that has access to AutoML as well (example usage)
storageClient, err := storage.NewClient(ctx, option.WithCredentialsFile(gcloudCredsJSONPath))
My question is: how would I get an auth token from the Golang Google client if I have a JSON credentials file? Is this even possible?
Thank you for any help!
You can only use API tokens with certain Google Cloud APIs. Using tokens is discourage by Google Cloud as you can read in this article:
https://cloud.google.com/docs/authentication/
If your production environment is also Google Cloud, you might not need to use any JSON file at all. Google Cloud has the concept of "DefaultCredentials" that it injects in your services via the environment. You might be able to simplify your code to:
storageClient, err := storage.NewClient(ctx)
It's also recommended to use a "ServiceAccount" so the credentials that your application use can be scopes to it. You can read more here:
https://cloud.google.com/docs/authentication/getting-started
Related
We are implementing an application for GCP which needs the oauth2 bearer token to authenticate docker against GCR. The application is written in Go and it uses the GCP SDK for Golang.
I'd like to get what gcloud auth print-access-token give from the SDK, but I don't find how to do it...
Have a look at oauth2/google.
You may (!?) be able to use workload identity federation (using this library too and thereby avoid using a Google Service Account key) but, using a Service Account (with roles/storage.objectAdmin see GCR: Granting IAM roles) and Application Default Credentials (export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/key.json) look at DefaultTokenSource.
The Token returned by Token() from TokenSource gives you an access_token (and refresh_token and expiry).
Update
You can use the Service Account key file directly to authenticate a Docker client to GCR. This would simplify your code (and avoid refreshing). The document reiterates the caution in using Service Account keys.
Summary:
The example for using the Gmail API in Go includes code for reading credentials from a known JSON file inside the filesystem. I would like to take advantage of Application Default Credentials (ADC) since we're deploying to k8s with access to the Gmail API.
Code:
Please find an excerpt from the full demo below:
//error handling omited for brevity
b, _ := ioutil.ReadFile("credentials.json")
config, _ := google.ConfigFromJSON(b, gmail.GmailReadonlyScope) //is it possible to replace this?
client := getClient(config)
srv, _ := gmail.New(client)
How can I replace line 2 in the excerpt to get the same configuration but without using an explicit JSON credentials file?
You can print an access token using gcloud auth application-default print-access-token . Use it to make requests to the API, instead of reading from the file. – Aerials
There is a prehistoric example where protobuf crate is used with reqwest HTTP client to call one of the few whitelisted services that can used with permanent API keys instead of OAuth / service accounts. This doesn't work with most of the googleapis zoo.
Furthermore, using OAuth with gRPC doesn't seem as simple as attaching a Authorization: BearerSIGNED_JWT to the request. As seen in all the Authenticate with Google examples on grpc.io, this requires calling the grpc_composite_channel_credentials_create function in the C core library.
It looks like pingcap/grpc-rs doesn't wrap or use this function. However, it does mention Google OAuth suddenly.
What is the truth?
Still not sure what exactly the authorization constitutes on the wire, but
google_default_credentials successfully allows me to call Google APIs.
In fact, it not only works with GOOGLE_APPLICATION_CREDENTIALS env var pointing to the service account key .json but even magically uses my signed in google account from gcloud cli.
For example with pingcap/grpc-rs aka grpcio = "0.5.0-alpha.3" all it took was
let env = Arc::from(EnvBuilder::new().build());
let creds = ChannelCredentials::google_default_credentials().unwrap();
let ch = ChannelBuilder::new(env).secure_connect("firestore.googleapis.com", creds);
let client = FirestoreClient::new(ch);
We are trying to use service account auth with our backend service to work with Google Cloud Storage JSON API. But cannot findout exactly how it should be done. We found examples for use with Client Libs but we are working with REST API. Can someone explain to me how to setup service account auth in POSTMAN?
I’m not sure how to set this up on POSTMAN but perhaps with the following information you can figure it out:
To authenticate with a service account to Storage API or any Google Cloud REST API you need to generate an OAuth Token and include it in your request headers. To accomplish this, you need the Cloud SDK, since you will print the token with the gcloud command. The steps are as follows:
Create a new service account and generate a JSON key file.
Copy the JSON key file and install Cloud SDK in the computer where you will make the API calls from.
Use the gcloud tool to activate the service account:
gcloud auth activate-service-account --key-file=/path/file.json
Generate an access token and save it to an environment variable:
ACCESS_TOKEN="$(gcloud auth print-access-token)"
Include the access token in your request headers,like this:
"Authorization: Bearer $ACCESS_TOKEN"
I was able to find this link on how to access environmental variables from POSTMAN and this one on how to set a Bearer token, hopefully they'll help as well.
I'm trying to figure out how to upload a file to google cloud storage using rest API , i don't want to use the client Library .
i read the documents but it was not helpful for a beginner in this flied ,
anyone can give me a step-by-step how to do this ? and how the URL/header/body format should look like , if also can give me an examples that would be very helpful .
If you're not going to use any of the helper libraries and are also a beginner, the hardest part of implementing an upload to GCS will likely be authenticating yourself. Let's ignore that for now.
The simplest way to upload an object to Google Cloud Storage is to make an HTTPS call to storage.googleapis.com that looks like this:
PUT /your-bucket-name/your-object.txt HTTP/1.1
Authorization: (YOUR ACCESS TOKEN GOES HERE)
Content-Length: 20
Content-Type: text/plain-or-whatever; charset=utf-8
Host: storage.googleapis.com
User-Agent: YourApplication/1.0
This is a test file
That will upload a file named "your-object.txt" of type "text/plain-or-whatever" to the bucket "your-bucket-name", with the contents "This is a test file."
If your bucket allows anonymous users to upload files (you shouldn't do that), then just don't include the Authorization line and you're done.
Now, since you really don't want to use any client libraries, and that presumably includes Google's OAuth libraries, you're going to need to implement authorization yourself, so let me give you an overview.
First, though, if you want to try this out immediately, install the "gcloud" tool, login with "gcloud auth login", and the print an access token with gcloud auth print-access-token. Then use the Authorization header Authorization: Bearer whatever.gcloudprintedout. That way you can be off and running with GCS quickly. But the token will only last an hour or so, so you'll need to implement OAuth for real.
Google Cloud APIs use OAuth to handle their requests, which is a powerful but not simple auth mechanism. There's extensive documentation on how OAuth with Google works: https://developers.google.com/identity/protocols/OAuth2
And there's also more general information on authorizing Google Cloud requests: https://cloud.google.com/docs/authentication
If you are running your application on a Google Cloud technology like App Engine or GCE, auth will be somewhat easier, but I will assume you're running this on your own machine. I will further assume that you want your application to have its own identity, rather than simply having you log in as part of the upload flow. For such a case, you'll need a service account, which will have an associated private key.
The basic flow for a service account is that you will create a JWT request for access credentials, then cryptographically sign that request with your private key, then send that signed request to Google. It will return you a token that may then be passed to your actual upload request later. You can keep using that token until it expires, at which time you'll need to build another JWT request to request another token.
Again, the client libraries entirely take care of this whole process for you. I am describing the approach of implementing everything exclusively on your own.
You can find the same example here:
https://stackoverflow.com/a/53955058/4345389
in which I already explained how to upload a file to google cloud storage using rest API.
Thanks