Auth - Ofer Nave

# Services : GCloud : Auth ## Application Default Credentials (ADC) Searches for credentials in the following locations: - `GOOGLE_APPLICATION_CREDENTIALS` env var - user credentials set up by using the gcloud CLI - the attached service account, returned by the metadata server (when run in the cloud) ## SDK Clients ```python google.cloud import SERVICE client = SERVICE.Client() ``` When creating an SDK client, the project ID will be determined by searching these locations in the following order: - `GOOGLE_CLOUD_PROJECT` env var - `GOOGLE_APPLICATION_CREDENTIALS` JSON file - default service configuration path from `gcloud auth application-default login` Logging in via `gcloud auth application-default login` will automatically configure a JSON key file with your default project ID and credentials. Setting the `GOOGLE_APPLICATION_CREDENTIALS` and `GOOGLE_CLOUD_PROJECT`env vars will override the automatically configured credentials. You can change your default project ID to “my-new-default-project” by using the gcloud CLI tool to change the configuration. `$ gcloud config set project my-new-default-project` ### Overview If you’re developing locally, the easiest way to authenticate is using the Google Cloud SDK: `$ gcloud auth application-default login` Note that this command generates credentials for client libraries. To authenticate the CLI itself, use: `$ gcloud auth login` If you’re running your application elsewhere, you should download a service account JSON keyfile and point to it using an environment variable: `GOOGLE_APPLICATION_CREDENTIALS="/path/to/keyfile.json"` ### Client-Provided Authentication Every package uses a Client as a base for interacting with an API. For example: ```python from google.cloud import datastore client = datastore.Client() ``` Passing no arguments at all will “just work” if you’ve followed the instructions in the Overview. The credentials are inferred from your local environment by using Google Application Default Credentials. ### Example JSON Credentials ``` { type : "service_account" project_id : "myproject-a1b2c" private_key_id : "0833842cd645993dae6891de8c15ea26a824ad92" private_key : "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n" client_email : "[email protected]" client_id : "104031053831564331200" auth_uri : "https://accounts.google.com/o/oauth2/auth" token_uri : "https://oauth2.googleapis.com/token" auth_provider_x509_cert_url : "https://www.googleapis.com/oauth2/v1/certs" client_x509_cert_url : "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-d9t3q%40myproject-a1b2c.iam.gserviceaccount.com" universe_domain : "googleapis.com" } ``` ## References - https://cloud.google.com/docs/authentication/application-default-credentials - https://cloud.google.com/python/docs/reference/google-cloud-core/latest/config - https://googleapis.dev/python/google-api-core/latest/auth.html - https://googleapis.dev/python/google-auth/latest/reference/google.auth.html