1

I am currently using the following code to get the OAUTH Token

command = 'gcloud auth print-access-token'
result = str(subprocess.Popen(command, universal_newlines=True, shell=True, stdout=subprocess.PIPE, 
stderr=subprocess.PIPE).communicate())

The result variable has the OAUTH Token. This technique uses my current logged in gcloud config.

However, I am looking out for a way to get the OAUTH Token without using command line. I am using this OAUTH Token to make CDAP calls to get the Google Dataflow Pipeline Execution Details.

I checked some google blogs. This is the one I think should try but it asks to create consent screen and it will require one time activity to provide consent to the scopes defined and then it should work. Google Document

Shall I follow steps in above document and check OR is there any other way we can get the OAUTH Token? Is there a way to get authentication done by service account instead of google user account and get the OAUTH Token?

Naitik
  • 49
  • 10

1 Answers1

3

For automated process, service account is the recommended way. You can use the google-oauth library for this. You can generate an access token like this

    # With default credential (your user account or the Google Cloud Component service account. 
    # Or with the service account key file defined in the GOOGLE_APPLICATION_CREDENTIALS env var -> for platform outside GCP)
    credentials, project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
    # With service account key file (not recommended)
    # credentials = service_account.Credentials.from_service_account_file('service-account.json',
    #    scopes=["https://www.googleapis.com/auth/cloud-platform"])
    from google.auth.transport import requests
    credentials.refresh(requests.Request())
    print(credentials.token)

However, if you want to call Google cloud APIs, I recommend you to use authorized request object

Here an example of BigQuery call. You can use service account key file to generate your credential as in my previous example.

    base_url = 'https://bigquery.googleapis.com'

    credentials, project_id = google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
    project_id = 'MyProjectId'
    authed_session = AuthorizedSession(credentials)
    response = authed_session.request('GET', f'{base_url}/bigquery/v2/projects/{project_id}/jobs')
    print(response.json())

EDIT

When you want to use Google APIs, a service account key file is not needed (and I recommend you to not use it) on your computer and on GCP component. The Application Default Credential is always sufficient.

  • When you are in your local environment, you must run the command gcloud auth application-default login. With this command, you will register your personal account as default credential when you run locally your app. (of course, you need to have your user account email authorized on the component that you call)
  • When you are on GCP environment, each component have a default service account (or you can specify one with you configure your component). Thanks to the component "identity", you can use the default credential. (of course, you need to have the service account email authorized on the component that you call)

ONLY when you run an app automatically and outside GCP, you need a service account key file (for example, in your CI/CD other that Cloud Build, or in an app deployed on other Cloud Provider or on premise)

Why service account key file is not recommended? It's at least my recommendation because this file is ..... a file!! That's the problem. You have a way to authenticate a service account in a simple file: you have to store it securely (it's a secret and an authentication method!!), you can copy it, you can send it by email, you can even commit it in a public GIT repository... In addition, Google recommend to rotate them every 90 days, so it's a nightmare to rotate, to trace and to manage

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Hi, Thanks for your answer. I have some queries. when I use google.auth.default I need to save the service account json credentials file path in the environment variable? and If i use non recommended method, I need to provide path of json file which is on my computer? also I guess need to import google.auth* libraries for python to make it work right? sorry if the questions are silly but i'm very new to all of this hence have these queries – Naitik Jul 15 '20 at 07:05
  • No problem, I added an explanation. Even some of my colleague with more than 5 years of experience in Google Cloud didn't really understand the authentication and security mechanism... And yes, you need to import Google Auth lib. But, if you use some client library, like [Cloud Storage library, you can use default authentication directly from the library](https://cloud.google.com/storage/docs/reference/libraries#client-libraries-usage-python), do simply this: `storage_client = storage.Client()` – guillaume blaquiere Jul 15 '20 at 08:55
  • Hi, Thanks for the details. Yes I am not using service_account.Credentials .from_service_account_file method. I tried using google.auth library (it was already present). It gave me error message and asked to maintain the path of credential.json file in the environment variable In my case I need to put this file on virtual machine where it will keep running(which is outside GCP) So i guess this is the only way to do it. I am calling CDAP API where base url is from google hence I guess the ouath token is needed. The syntax is provided by google itself. This is to get data pipeline details – Naitik Jul 15 '20 at 09:46
  • If your app is hosted outside GCP, you need a service account and a service account key file. You have to define the GOOGLE_APPLICATION_CREDENTIALS env var on your system that reference the path of your service account key file. Then, continue to use the auth.default in your code. – guillaume blaquiere Jul 15 '20 at 11:31