How to Authorize a Google Service Account Without the Default Credentials File

  • Home
  • Languages
  • Ruby
  • How to Authorize a Google Service Account Without the Default Credentials File

How can I authorize a Google Service Account without the default credentials file?

I found the answer in the source code of the google-auth-library-ruby gem.

It turns out that there is another option: take the values from the client_secrets file and put them in environment variables named GOOGLE_ACCOUNT_TYPE, GOOGLE_CLIENT_ID, GOOGLE_CLIENT_EMAIL and GOOGLE_PRIVATE_KEY respectively.

If these keys are populated, the credentials will load from there. Not a whisper of this in the docs, though.

How to use non-default Google Service Account credentials with SecretManagerService in Google Cloud Function?

You have to use ADC (Application Default Credential) in cloud functions and don't provide a service account key file.

Indeed, the default service account of Cloud Functions is the App Engine default service account that is used. To use another service account, you can choose to change the cloud function identity and grand the secret accessor permission only to that service account

Unable to authenticate service account - Google Cloud

Please, consider read the ImageAnnotationClient class level javadocs, it gives you the right guidance about how to accomplish the authentication process. I modified the provided code to give you the full example:

// Please, set the appropriate path to your JSON credentials file here
String credentialsPath = "..."; 
// The credentials could be loaded as well as this.getClass().getResourceAsStream(), for example
GoogleCredentials credentials = GoogleCredentials.fromStream(new FileInputStream(credentialsPath))
    .createScoped(Lists.newArrayList("https://www.googleapis.com/auth/cloud-platform"));

// Use that credentials to build your image annotation client
ImageAnnotatorSettings imageAnnotatorSettings =
  ImageAnnotatorSettings.newBuilder()
    .setCredentialsProvider(FixedCredentialsProvider.create(credentials))
    .build()
;

ImageAnnotatorClient imageAnnotatorClient = ImageAnnotatorClient.create(imageAnnotatorSettings);
// Perform the stuff you need to...

The only dependency you need to provide in your pom.xml is this:

<dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>google-cloud-vision</artifactId>
    <version>2.0.18</version>
</dependency>

In any case, please, consider for reference the pom.xml provided in the Cloud Vision examples.

The Cloud Vision examples repository gives some useful code snippets as well in the Detect class for the detection process itself.

Be sure that the service account you are using to connect to Google Cloud has the necessary permissions.

Although this solution could work, it has the drawback that you probably need to store the credentials file somewhere in your machine, maybe in your source code repository, etcetera, and it can suppose a security risk. If your are running your program from Google Cloud is always advisable to grant to the VM or service you are using the necessary permissions and use the default application credentials.

The use of the GOOGLE_APPLICATION_CREDENTIALS could be preferable as well. If you are trying using this variable, initially, try configuring it using your IDE provided mechanisms instead of cmd, PS, or bash, and see if it works.

For using any of the two last mentioned solutions you don't need to provide any additional information when constructing your ImageAnnotatorClient:

ImageAnnotatorClient imageAnnotatorClient = ImageAnnotatorClient.create();

How to download the default service account .json key

Existing .json keys cannot be downloaded after creation. They can only be downloaded when they are created.

Your best option would be to create a new key and for security reasons, delete the old key if not needed to avoid any potential threats regarding the old key.

To do so, go to IAM->Service Account, then select your service account and access the "Key" tab. In this tab you will see the existing key(s) and will have the option to create a new one.

gcp - how to run Python application as Service Account without a key file

For Python program, is there a way to run the program as a service
account without using the key file as key file is not recommended for
security reason.

If your Python program is running outside Google Cloud, then no, you must use credentials.

You have a catch22. You need to be authorized using credentials to impersonate another credential.

You have three choices:

  • user account credentials
  • another service account credentials
  • federated tokens

Each of those methods requires secrets.

For compute services, such as Compute Engine, Cloud Functions, Cloud Run, etc you can use the metadata service for authorization. However, then you do not need to impersonate credentials, you can just use the credentials as they are safe (no secrets stored on the machine).

I wrote an article on this topic and how to setup impersonation using user account credentials:

Google Cloud – Improving Security with Impersonation

If impersonation is set up correctly, the flag --impersonate-service-account is not required.

Generate google service account credentials without key in Cloud function

In Cloud Functions (and in all GCP product), you have a feature name function identity. That means that you can choose the service account that you want to attach to the Cloud Function when you it run. If no one is defined, this one by default is used.

Thereby, a default identity automatically exists in your cloud function. You can perform simply this, as described in this library

import google.auth

credentials, project_id = google.auth.default(scopes='https://www.googleapis.com/auth/cloud-platform']))

don't want to login google cloud with service account

You can do this instead of relying on the environment variable by downloading credential files for each project you need to access.

So for example, if you have three projects that you want to access storage on, then you'd need code paths that initialize the StorageClient with the appropriate service account key from each of those projects.

StorageClient.Create() can take an optional GoogleCredential() object to authorize it (if you don't specify, it grabs the default application credentials, which, one way to set is that GOOGLE_APPLICATION_CREDENTIALS env var).

So on GoogleCredential, check out the FromFile(String) static call, where the String is the path to the service account JSON file.

How to manage Google Cloud credentials for local development

You can use a new gcloud feature and impersonate your local credential like that:

gcloud auth application-default login --impersonate-service-account=<SA email>

It's a new feature. Being a Java and Golang developer, I checked and tested the Java client library and it already supports this authentication mode. However, it's not yet the case in Go. And I submitted a pull request to add it into the go client library.

I quickly checked in Python, and it seems implemented. Have a try on one of the latest versions (released after August 3rd 2021) and let me know!!

Note: A few is aware of your use case. I'm happy not to be alone in this case :)

How can I safely give my Google Cloud application credentials to another person?

According to Authentication Best Practices, if you are "developing locally to test or learn", users could login using the gcloud tool with the application-default login. You can put these commands in a bash script or readme.md for convenience:

gcloud auth revoke
gcloud auth application-default revoke
gcloud auth application-default login /
   --billing-project=<BILLING_PROJECT> /
   --scopes=openid,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloud-translation.readonly

Notes

  • If you're running Translate API v3 you will need to provide its scope in the command, but if you're running v2, you may not need them at all.
  • To be safe, you can omit the billing project name from the command in git and have the users enter this themselves.
  • The current user must be logged out first to ensure the correct credentials are used.
  • You may also need to grant the appropriate Cloud Translation IAM role to the user.

What happens when you run it?

  • Running this CLI command will open a browser window and request that the user login to Google Cloud.
  • A prompt may also appear to install Cloud Resource Manager. This is used to manage the hierarchy of GCP resources (projects, roles, services, etc.) and is totally free.
  • Once the user has logged in, a file called application_default_credentials.json is created in the local Google Cloud SDK configuration folder.

What about the service private key?

If you use this gcloud login method, you do not need the service's private key or the GOOGLE_APPLICATION_CREDENTIALS environment variable. However, if that variable is present, the credentials file it points to will be used instead. This logic is part of the Application Default Credentials workflow used by most modern Google Cloud clients.


Related Topics

Convert String with Comma to Integer

How to Access Class Variables in Ruby 1.9

Rails Implementation of Search with Autocomplete

Using the Value of a Variable as Another Variables Name in Ruby

Reset Irb Console

How to Iterate Through an Array Starting from the Last Element? (Ruby)

Gem Not Found in Ruby Cron Job in Rvm Env

Rails: Pg::Insufficientprivilege: Error: Permission Denied for Relation Schema_Migrations

What Are the Conventional Gem Paths for Ruby Under Os X 10.5

Executing Shell Command in Background from Ruby with Proper Argument Escaping

How to Use Basic Authentication with Httparty in a Rails App

Is Alias_Method_Chain Synonymous with Alias_Method

What Is the Best Wysiwyg for Rails - Ruby on Rails Blog

How to Extract the Sign of an Integer in Ruby

How to Use Rspec Expectations in Irb

How to Get the Current Route in Rails

Ruby Lambda Context

Ruby Regex - Gsub Only Captured Group


Leave a reply



Submit