0

I made a simple Node.js application that is using Google Cloud's Speech to Text API.
I could successfully authenticate locally, but how do I authenticate in production while keeping the credentials privates?
P.S. My application is not using any other server than Google's servers.

avi12
  • 2,000
  • 5
  • 24
  • 41

2 Answers2

0

You need to be more specific to get more accurate answers

====================

OK, it's all about how you control the permission of your service account and there is a note in that page: "If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts."

You should use a specific service account needed to use this service. I don't have the particular role name(something like AutoML Viewer or Editor), and you need to test a minimum workable role in your Dev ENV. After which, you can deploy your service into PROD and make sure the key with a 0400 file. So more or less the account can use limited service as expected

Calvin Zhou
  • 307
  • 2
  • 5
  • I'm using [Google Cloud Speech to Text](https://cloud.google.com/speech-to-text/docs/reference/libraries). The linked article guides how to set up authentication locally, for development. However, nothing, as far as I can tell, is mentioned about authentication for production, which is what I need. Do you know how to solve this issue? – avi12 Mar 25 '19 at 11:58
  • OK, it's all about how you control the permission of your service account and there is a note in that page: "If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts." – Calvin Zhou Mar 26 '19 at 15:20
  • Doesn't this method require my credentials file to be kept on every computer that my application will run on? – avi12 Mar 26 '19 at 20:31
  • Yes, as mentioned by @kolban, each VM comes with a default service account which has more access rights than this AutoML. It's up to you to choose either of them. To manage a different key, you can consider CM tool. – Calvin Zhou Mar 28 '19 at 02:54
  • I'm not sure I fully understand. Can you help me further? I mean, how do I get my application to work on other machines? Since my application is developed using Electron, I want it work cross-platform flawlessly. – avi12 Mar 28 '19 at 07:16
  • If you want to deploy your service to multiple servers, you should have a proper architecture design as I can only tell you some brief solutions. One approach recommended is to grant AutoML role to the default service account, so your instance will have the ability to use the service automatically, it also addresses your concern about securing your private key – Calvin Zhou Mar 29 '19 at 03:22
  • I'm unsure what I need to do to accomplish my goal. This all seems confusing. This is the first time I'm using Google Cloud platform. To clarify, I'm not using my own servers, but only Google's, to process the data & get back the result. Can you give me the steps I have to take to get my application working correctly on any computer it runs on? – avi12 Mar 30 '19 at 10:30
  • No worry. I would recommend this to you: 1. Each VM comes with a default service account, and it's added when you create a new VM. 2. Go to IAM and edit permission of this default account(Name:'Compute Engine default service account') and grant AutoML role to the service account(Refer to https://cloud.google.com/iam/docs/granting-roles-to-service-accounts). 3. Check if the server can call the ML service. You're also recommended to read articles for GCP service account. Be patient and do it step by step – Calvin Zhou Mar 30 '19 at 15:02
  • By VM, do you mean Virtual Machine? So, how's that related to my project? Can't seem to find anything with VM in [IAM & admin](https://console.cloud.google.com/iam-admin). About the default service account, under "Service accounts", I have: "Service Account", "speech-to-text" - nothing to do with "default service account" – avi12 Mar 30 '19 at 18:49
  • Because you told you're using Google's servers, which I assume it's Google Compute Engine, it creates Virtual Machine, so maybe GCE is easier for you? When you create the GCE instance, you have the service account, and it's use default service account by default, it should be in the dropdown list. The speech-to-text account is the one you created, and you can use it the same. So all the servers you created will have this 'speech-to-text' account access rights – Calvin Zhou Mar 31 '19 at 11:28
  • I didn't go to Google Compute Engine. Rather, I went straight to [Cloud Speech-to-Text](https://cloud.google.com/speech-to-text)'s documentation, as well as to other sources to get gRPC working correctly. – avi12 Mar 31 '19 at 13:45
  • Ok, so where do you deploy your client code? If you don't use any server to host your client code, then you still need to go back the GOOGLE_APPLICATION_CREDENTIALS json file approach, and you need to have a copy in any computer that your client is installed – Calvin Zhou Apr 01 '19 at 02:12
  • Okay. I need to check how I'm gonna do that, as when I tried using `electron-packager` with `--asar` gave an error since my application depends on some programs, sicj as `mplayer`. BTW, the approach of `electron-packager` isn't final, it's just for testing. Ultimately, it makes more sense to me to make an actual installation for my program. – avi12 Apr 01 '19 at 05:20
  • Yet, when I tried running my application *without* `--asar`, [this](https://i.imgur.com/C8D22uz.png) is the output I got. – avi12 Apr 01 '19 at 05:39
  • OK, it's a different error, and you can find some solutions here: https://stackoverflow.com/questions/36189612/token-must-be-a-short-lived-token-and-in-a-reasonable-timeframe, e.g. "Adjusting my system clock and allowing windows 10 to automatically set the time and time zone solved the problem" – Calvin Zhou Apr 01 '19 at 07:53
  • I was finally able to get the software working correctly. Except, 2 problems still exist: 1. Since my software depends on [SoX](http://sox.sourceforge.net), and on the Windows you must use the `sox.exe` binary, the `--asar` will simply break it. 2. Software also depends on [node-key-sender](https://www.npmjs.com/package/node-key-sender), which uses a JAR file, hence the user must also have Java installed, which also means that `--asar` will break it as well. – avi12 Apr 02 '19 at 08:14
  • Around the [node-key-sender](https://www.npmjs.com/package/node-key-sender) problem I got around with [sendkeys](https://www.npmjs.com/package/sendkeys). Though, it's only supported by Windows, as it uses Powershell. I need to find alternatives for Linux and macOS as well. – avi12 Apr 02 '19 at 21:55
  • LOL, I'm not using Windows also don't do nodejs programming, you should try out more and post questions in other channels, happy programming :D – Calvin Zhou Apr 03 '19 at 16:12
0

The credentials necessary for making client calls are based on a strategy called Application Default Credentials. These can be found through an environment variable called GOOGLE_APPLICATION_CREDENTIALS if the variable is present. If the the variable is not set, then the default credentials can be used. The following article provides detailed guidance on this topic:

Setting Up Authentication for Server to Server Production Applications

If your client is running outside of Google on your own premises (and hence not in a Compute Engine or GKE cluster) then the thinking will likely be that the credentials are contained in a file that is itself content protected by local OS access permissions. For example, contained in a file which has read permission restricted to either the user that runs your application or group that the user is a member of.

Kolban
  • 13,794
  • 3
  • 38
  • 60