How to oAuth Google API from Lambda AWS?

Question

I am building Alexa Skill for Google calendar. The client side code works as expected on local machine because I can authenticate the local machine using the link. But, when I deploy the code on AWS Lambda there is no way that I can authenticate as I cannot input code via AWS console.

I am getting trouble in setting up authentication of Google Calendar API when deployed on AWS lambda.

This documentation doesn't help much to me Google Implementing Server Side Authentication

score 9 · Answer 1 · answered Jul 13 '18 at 08:22

You should create a service account. Those are designed especially for server-to-server communication. Documentation can be found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

The problems with the solutions from other answers are:

API keys are insecure
Access tokens (e.g. obtained by the CLI command gcloud auth print-access-token) expire. Since Lambdas are stateless, there's no way to store a token temporarily and refresh it when it's expired.

score 3 · Answer 2 · answered Jun 24 '20 at 18:47

3

I know this is late, but after struggling a lot with this problem, I found a solution. Do google auth with JWT

const {google} = require('googleapis');


const key ={
 client_email: process.env.CLIENT_EMAIL,
 private_key: process.env.PRIVATE_KEY,
}

const auth = new google.auth.JWT(
  key.client_email,
  null,
  key.private_key,
  ["https://www.googleapis.com/auth/analytics.readonly"],
  null
);

google.options({auth});

answered Jun 24 '20 at 18:47

Danilo Sampaio

41
6

I am confused as AWS lamda has a aprox 50mb package size limit and googleapis npm package is 103mb? I am going to see if it works. – TwoFingerRightClick Mar 27 '22 at 01:53
1

It works... must tree shake and only include parts of the npm package that you use in the function... I am using Netlify Functions – TwoFingerRightClick Mar 27 '22 at 02:01
This authentication method is not capable of getting your own channel data with `mine: true` – 55 Cancri Aug 27 '22 at 18:14

score 2 · Answer 3 · answered Jun 27 '20 at 18:42

2

I have multiple lambdas depending a the same google credentials and token.

I store my credentials either in S3 or in DynamoDB.

My solution was to create a scheduled lambda function that refreshes the oAuth token every 55minutes. This prevents unnecessary refreshes if multiple lambdas where to run at the same time.

answered Jun 27 '20 at 18:42

Altus

1,315
3
11
19

1

How do you regenerate the auth token? Please post your exact code – jrantz Aug 27 '22 at 23:57

score 0 · Answer 4 · answered Mar 03 '17 at 13:15

0

You have to do 2 steps specified in here, if you follow correctly you will get this done.

First, (only the first time) you need to set up your project and download the GOOGLE APPLICATION CREDENTIALS you will result with one json file with auth information inside, lets suppose you call it project.json

Now you will need to execute some commands to get access tokens, download and install Cloud SDK to have access to those commands.

 gcloud auth activate-service-account --key-file=/home/panchicore/project.json

then

gcloud auth print-access-token

you will get your key at this point, now we can use it in the next step:

Second, Make a Translation API request: (how I did it and tested with python requests)

import requests

key = "KEY GOT WITH gcloud auth print-access-token"

headers = {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer {}'.format(key)
}

url = 'https://translation.googleapis.com/language/translate/v2'

data = {
  'q': 'The quick brown fox jumped over the lazy dog.',
  'source': 'en',
  'target': 'es',
  'format': 'text'
}

res = requests.post(url, json=data, headers=headers)

print res.content
>>> El rápido zorro marrón saltó sobre el perro perezoso.

Hope it helps.

answered Mar 03 '17 at 13:15

panchicore

11,451
12
74
100

3

Will that token be good forever, or only for a limited amount of time? – NealWalters Dec 01 '17 at 23:31
not before, now they expire and the date comes with the `gcloud` reponse. – panchicore Jan 31 '18 at 14:59
Bart, this is disclaimed in my previous comment. – panchicore Jul 13 '18 at 10:09
@panchicore, tried your solution. As said, worked for sometime and then key expired. Do you have a solution to generate auth token for Lambda function without import google cloud sdk? – sheenu85 Aug 08 '18 at 04:42
2

2 ways: the correct one: Obtain an access token from the Google Authorization Server. https://developers.google.com/identity/protocols/OAuth2. and the crafted one: bash script that runs the routine getting the key with `gcloud auth print-access-token` and posting it to a secure dynamodb table with the expiration flag, that flag is queried everytime by the cronjob running the script (basically acts as a cache). – panchicore Aug 08 '18 at 08:59

score -1 · Answer 5 · answered Apr 20 '18 at 04:38

The easier way is using api keys to authenticate. https://cloud.google.com/docs/authentication/api-keys

You can make requests to some google apis like this (javascript)

const request = require('request')
request.post(`https://language.googleapis.com/v1beta2/documents:analyzeSentiment?key=${process.env.GOOGLE_API_KEY || ''}`, 
{
    json : true,
    body : {
        document : document
    }
},
(error, response, body) => {
    console.log(body)
})

API keys are insecure and many Google API's don't support them any more. — Bart Kummel, Jul 13 '18 at 08:24

How to oAuth Google API from Lambda AWS?

5 Answers5

Linked