Gcpsamples

Google Cloud Platform API hello world samples

samples provided as-is without warranty

Sample code demonstrating various Auth mechanism for Google Cloud Platform APIs.

Please refer to official documentation for usage and additional samples/usage.

Google Authentication Samples

---

Application Default Credentials

The samples use Application Default Credentials which uses credentials in the following order as described in the link. Set the environment variable to override.

You can always specify the target source to acquire credentials by using intent specific targets such as: ComputeCredentials, UserCredentials or ServiceAccountCredential.

There are two types of client libraries you can use to connect to Google APIs:

• Google Cloud Client Libraries
• Gooogle API Client Libraries << note: this repo now omits this api mechanism (for the most part)

The basic differences is the Cloud Client libraries are idiomatic, has gcloud-based emulators and much easier to use.

It is recommended to use Cloud Client Libraries whereever possible. Although this article primarily describes the API Client libraries, the python code section describes uses of Cloud Client libraries with Google Cloud Storage.

For more information, see

• Client Libraries Explained.
• Google Cloud Platform Authenticatio Guide

This article also describes how to use IAM's serviceAccountActor role to issue access_tokens, id_tokens and JWT. For more information on that, see auth/tokens/.

The following examples use the Oauth2 service to demonstrate the initialized client using Google API Client Libraries. The first section is about the different client libraries you can use.

• Cloud Client Libraries and API Client Libraries
  • Cloud Client Libraries
  • API Client Libraries
• Cloud Client Libraries
  • Python
  • Java
  • Go
  • Node
  • c#
  • gRPC Environment Variables
  • GCS SignedURL with Customer Supplied Encryption Keys
  • JWT Access Token
• API Client Library
  • Python
  • Java
  • Go
  • Node
  • C#
• serviceAccountActor role for impersonation
  • access_token
  • id_token
  • JWT
• Impersonated Credentials
• Accessing Google APIs through proxies
• Issue and Verify id_tokens
• GCS SignedURL with HMAC
• GCS keyless SignedURL
• Accessing Google APIs through proxies

For more inforamtion, see:

• oauth2 protocol
• oauth2 service
• Service Accounts

GoogleLibraries

As described in the introduciton, this section details the two types of libraries you can use to access Google Services:

Google Cloud Client Libraries

These libraries are idomatic, easy to use and even support the gcloud-based emulator framework. This is the recommended library set to use to access Google Cloud APIs.

For more information, see:

• Application DefaultCredentials
• google-cloud
• google-auth package
• google-auth Users Guide

The following example describes various ways to initialize a service account to list the Google Cloud Storage buckets the account has access to. It also shows listing the buckets using the default account currently initialized by gcloud.

To use the mechanisms here, you need to initialize gcloud's application defaults:

gcloud auth application-default login

Cloud Python

The following uses the google-storage client described here: Storage Client

virtualenv env
source env/bin/activate
pip install google-cloud-storage

The following lists some of the various mechanisms to acquire credentials:

List buckets using the default account on the current gcloud cli (preferred)

from google.cloud import storage

client = storage.Client()
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using gcloud cli explicit credential and project

from google.cloud import storage
import google.auth

credentials, project = google.auth.default()    
client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using an environment variable and then google.auth.default() credentials.

from google.cloud import storage
import google.auth
impot os

os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "YOUR_JSON_CERT.json"
credentials, project = google.auth.default()
if credentials.requires_scopes:
  credentials = credentials.with_scopes(['https://www.googleapis.com/auth/devstorage.read_write'])
client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using a service_account oauth2 object directly

from google.cloud import storage
import google.auth
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('YOUR_JSON_CERT.json')
if credentials.requires_scopes:
  credentials = credentials.with_scopes(['https://www.googleapis.com/auth/devstorage.read_write'])

client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using the storage client directly loading the certificate:

from google.cloud import storage

client = storage.Client.from_service_account_json("YOUR_JSON_CERT.json")
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

Iterators

see

• google cloud python iterators
• page iterators

• Logging:

import os
import pprint
from google.cloud import logging

from google.cloud.logging import ASCENDING
from google.cloud.logging import DESCENDING

pp = pprint.PrettyPrinter(indent=1)

FILTER = 'resource.type="gae_app" AND logName="projects/your-project/logs/appengine.googleapis.com%2Frequest_log" AND protoPayload.resource="/"'

client = logging.Client()

iterator = client.list_entries(filter_=FILTER, order_by=DESCENDING)
for page in iterator.pages:
  print('    Page number: %d' % (iterator.page_number,))
  print('  Items in page: %d' % (page.num_items,))
  print('Items remaining: %d' % (page.remaining,))
  print('Next page token: %s' % (iterator.next_page_token,))  
  print('----------------------------')
  for entry in page:
      print(entry.timestamp)

• Monitoring:

# virtualenv env
# source env/bin/activate
# pip install google-cloud-monitoring==0.30.0

import datetime, time
import pprint
from google.cloud import monitoring_v3
from google.cloud.monitoring_v3.query import Query

client = monitoring_v3.MetricServiceClient()

metric_type = 'serviceruntime.googleapis.com/api/request_count'
resource_type = 'consumed_api'
service = 'logging.googleapis.com'

now = datetime.datetime.utcnow()
fifteen_mins_ago =  now - datetime.timedelta(minutes=15)

q = Query(client, project='YOUR_PROJECT', metric_type=metric_type, minutes=10)
q.select_interval(end_time=now,start_time=fifteen_mins_ago)
q.select_resources(resource_type=resource_type, service=service)

for timeseries in q.iter():
  print()'========== Metric: ')
  #pprint.pprint(timeseries)
  print()'========== Points: ')
  for p in timeseries.points:
   print(repr(p))
   print(str(p.start_time) + ' --> ' + str(p.end_time) + '  : [' +  str(p.value.get('bucketCounts')) + ']')
  print('-----------------')

Using google.auth for GoogleAPIs

The following shows transport authorization for the original Google APIs

import oauth2client
from oauth2client.client import GoogleCredentials
import httplib2

http = httplib2.Http()
credentials = GoogleCredentials.get_application_default()
if credentials.create_scoped_required():
  credentials = credentials.create_scoped(scopes)
http = credentials.authorize(http)

If you need to use the more recent Google Cloud Auth library, you need to cast the transport:

• http://google-auth.readthedocs.io/en/latest/reference/google.auth.html
• https://github.com/GoogleCloudPlatform/google-auth-library-python-httplib2

import google.auth
import google_auth_httplib2

scopes = ['https://www.googleapis.com/auth/devstorage.read_write']
credentials, project = google.auth.default(scopes=scopes)
http =  google_auth_httplib2.AuthorizedHttp(credentials)

or preferably init a cloud API:

from google.cloud import storage
import google.auth
from google.oauth2 import service_account
import os

#credentials = service_account.Credentials.from_service_account_file('YOUR_JSON_