1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
|
Authentication
**************
.. _Overview:
Overview
========
* **If you're running in Compute Engine or App Engine**,
authentication should "just work".
* **If you're developing locally**,
the easiest way to authenticate is using the `Google Cloud SDK`_:
.. code-block:: bash
$ gcloud auth application-default login
Note that this command generates credentials for client libraries. To authenticate the CLI itself, use:
.. code-block:: bash
$ gcloud auth login
Previously, ``gcloud auth login`` was used for both use cases. If
your ``gcloud`` installation does not support the new command,
please update it:
.. code-block:: bash
$ gcloud components update
.. _Google Cloud SDK: http://cloud.google.com/sdk
* **If you're running your application elsewhere**,
you should download a `service account`_ JSON keyfile
and point to it using an environment variable:
.. code-block:: bash
$ export GOOGLE_APPLICATION_CREDENTIALS="/path/to/keyfile.json"
.. _service account: https://cloud.google.com/storage/docs/authentication#generating-a-private-key
Client-Provided Authentication
==============================
Every package uses a :class:`Client <google.cloud.client.Client>`
as a base for interacting with an API.
For example:
.. code-block:: python
from google.cloud import datastore
client = datastore.Client()
Passing no arguments at all will "just work" if you've followed the
instructions in the :ref:`Overview`.
The credentials are inferred from your local environment by using
Google `Application Default Credentials`_.
.. _Application Default Credentials: https://developers.google.com/identity/protocols/application-default-credentials
.. _Precedence:
Credential Discovery Precedence
-------------------------------
When loading the `Application Default Credentials`_,
the library will check for credentials in your environment by following the
precedence outlined by :func:`google.auth.default`.
Explicit Credentials
====================
The Application Default Credentials discussed above can be useful
if your code needs to run in many different environments or
if you just don't want authentication to be a focus in your code.
However, you may want to be explicit because
* your code will only run in one place
* you may have code which needs to be run as a specific service account
every time (rather than with the locally inferred credentials)
* you may want to use two separate accounts to simultaneously access data
from different projects
In these situations, you can create an explicit
:class:`~google.auth.credentials.Credentials` object suited to your environment.
After creation, you can pass it directly to a :class:`Client <google.cloud.client.Client>`:
.. code:: python
client = Client(credentials=credentials)
.. tip::
To create a credentials object, follow the `google-auth-guide`_.
.. _google-auth-guide: https://google-auth.readthedocs.io/en/latest/user-guide.html#service-account-private-key-files
Google App Engine Environment
-----------------------------
To create
:class:`credentials <google.auth.app_engine.Credentials>`
just for Google App Engine:
.. code:: python
from google.auth import app_engine
credentials = app_engine.Credentials()
Google Compute Engine Environment
---------------------------------
To create
:class:`credentials <google.auth.compute_engine.Credentials>`
just for Google Compute Engine:
.. code:: python
from google.auth import compute_engine
credentials = compute_engine.Credentials()
Service Accounts
----------------
A `service account`_ is stored in a JSON keyfile.
The
:meth:`from_service_account_json() <google.cloud.client.Client.from_service_account_json>`
factory can be used to create a :class:`Client <google.cloud.client.Client>` with
service account credentials.
For example, with a JSON keyfile:
.. code:: python
client = Client.from_service_account_json('/path/to/keyfile.json')
.. tip::
Previously the Google Cloud Console would issue a PKCS12/P12 key for your
service account. This library does not support that key format. You can
generate a new JSON key for the same service account from the console.
User Accounts (3-legged OAuth 2.0) with a refresh token
-------------------------------------------------------
The majority of cases are intended to authenticate machines or
workers rather than actual user accounts. However, it's also
possible to call Google Cloud APIs with a user account via
`OAuth 2.0`_.
.. _OAuth 2.0: https://developers.google.com/identity/protocols/OAuth2
.. tip::
A production application should **use a service account**,
but you may wish to use your own personal user account when first
getting started with the ``google-cloud-python`` library.
The simplest way to use credentials from a user account is via
Application Default Credentials using ``gcloud auth login``
(as mentioned above) and :func:`google.auth.default`:
.. code:: python
import google.auth
credentials, project = google.auth.default()
This will still follow the :ref:`precedence <Precedence>`
described above,
so be sure none of the other possible environments conflict
with your user provided credentials.
Advanced users of `oauth2client`_ can also use custom flows to
create credentials using `client secrets`_ or using a
`webserver flow`_.
After creation, :class:`Credentials <oauth2client.client.Credentials>`
can be serialized with
:meth:`to_json() <oauth2client.client.Credentials.to_json>`
and stored in a file and then and deserialized with
:meth:`from_json() <oauth2client.client.Credentials.from_json>`. In order
to use ``oauth2client``'s credentials with this library, you'll need to
`convert them`_.
.. _oauth2client: https://github.com/Google/oauth2client.
.. _client secrets: https://developers.google.com/api-client-library/python/guide/aaa_oauth#flow_from_clientsecrets
.. _webserver flow: https://developers.google.com/api-client-library/python/guide/aaa_oauth#OAuth2WebServerFlow
.. _convert them: http://google-auth.readthedocs.io/en/stable/user-guide.html#user-credentials
Troubleshooting
===============
Setting up a Service Account
----------------------------
If your application is not running on Google Compute Engine,
you need a `Google Developers Service Account`_.
#. Visit the `Google Developers Console`_.
#. Create a new project or click on an existing project.
#. Navigate to **APIs & auth** > **APIs** and enable the APIs
that your application requires.
.. raw:: html
<img src="https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/enable-apis.png"/>
.. note::
You may need to enable billing in order to use these services.
* **BigQuery**
* BigQuery API
* **Datastore**
* Google Cloud Datastore API
* **Pub/Sub**
* Google Cloud Pub/Sub
* **Storage**
* Google Cloud Storage
* Google Cloud Storage JSON API
#. Navigate to **APIs & auth** > **Credentials**.
You should see a screen like one of the following:
.. raw:: html
<img src="https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/create-new-service-account.png">
.. raw:: html
<img src="https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/create-new-service-account-existing-keys.png">
Find the "Add credentials" drop down and select "Service account" to be
guided through downloading a new JSON keyfile.
If you want to re-use an existing service account,
you can easily generate a new keyfile.
Just select the account you wish to re-use,
and click **Generate new JSON key**:
.. raw:: html
<img src="https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/reuse-service-account.png">
.. _Google Developers Console: https://console.developers.google.com/project
.. _Google Developers Service Account: https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Using Google Compute Engine
---------------------------
If your code is running on Google Compute Engine,
using the inferred Google `Application Default Credentials`_
will be sufficient for retrieving credentials.
However, by default your credentials may not grant you
access to the services you intend to use.
Be sure when you `set up the GCE instance`_,
you add the correct scopes for the APIs you want to access:
* **All APIs**
* ``https://www.googleapis.com/auth/cloud-platform``
* ``https://www.googleapis.com/auth/cloud-platform.read-only``
* **BigQuery**
* ``https://www.googleapis.com/auth/bigquery``
* ``https://www.googleapis.com/auth/bigquery.insertdata``
* **Datastore**
* ``https://www.googleapis.com/auth/datastore``
* ``https://www.googleapis.com/auth/userinfo.email``
* **Pub/Sub**
* ``https://www.googleapis.com/auth/pubsub``
* **Storage**
* ``https://www.googleapis.com/auth/devstorage.full_control``
* ``https://www.googleapis.com/auth/devstorage.read_only``
* ``https://www.googleapis.com/auth/devstorage.read_write``
.. _set up the GCE instance: https://cloud.google.com/compute/docs/authentication#using
|
