Authentication — google-api-core documentation (original) (raw)

As of January 1, 2020 this library no longer supports Python 2 on the latest released version. Library versions released prior to that date will continue to be available. For more information please visit Python 2 support on Google Cloud.

Overview

For a language agnostic overview of authentication on Google Cloud, see Authentication Overview.

Client-Provided Authentication

Every package uses a Clientas a base for interacting with an API. For example:

from google.cloud import datastore client = datastore.Client()

Passing no arguments at all will “just work” if you’ve followed the instructions in the Overview. The credentials are inferred from your local environment by using Google Application Default Credentials.

Credential Discovery Precedence

When loading the Application Default Credentials, the library will check for credentials in your environment by following the precedence outlined by google.auth.default().

Explicit Credentials

The Application Default Credentials discussed above can be useful if your code needs to run in many different environments or if you just don’t want authentication to be a focus in your code.

However, you may want to be explicit because

In these situations, you can create an explicitCredentials object suited to your environment. After creation, you can pass it directly to a Client:

client = Client(credentials=credentials)

Google Compute Engine Environment

These credentials are used in Google Virtual Machine Environments. This includes most App Engine runtimes, Compute Engine, Cloud Functions, and Cloud Run.

To createcredentials:

from google.auth import compute_engine credentials = compute_engine.Credentials()

Service Accounts

A service account is stored in a JSON keyfile.

from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file( '/path/to/key.json')

A JSON string or dictionary:

import json

from google.oauth2 import service_account

json_account_info = json.loads(...) # convert JSON to dictionary credentials = service_account.Credentials.from_service_account_info( json_account_info)

Tip

Previously the Google Cloud Console would issue a PKCS12/P12 key for your service account. This library does not support that key format. You can generate a new JSON key for the same service account from the console.

User Accounts (3-legged OAuth 2.0) with a refresh token

The majority of cases are intended to authenticate machines or workers rather than actual user accounts. However, it’s also possible to call Google Cloud APIs with a user account viaOAuth 2.0.

Tip

A production application should use a service account, but you may wish to use your own personal user account when first getting started with the google-cloud-* library.

The simplest way to use credentials from a user account is via Application Default Credentials using gcloud auth application-default login(as mentioned above) and google.auth.default():

import google.auth

credentials, project = google.auth.default()

This will still follow the precedencedescribed above, so be sure none of the other possible environments conflict with your user provided credentials.

Troubleshooting

Setting up a Service Account

If your application is not running on a Google Virtual Machine Environment, you need a Service Account. See Creating a Service Account.

Using Google Compute Engine

If your code is running on Google Compute Engine, using the inferred Google Application Default Credentialswill be sufficient for retrieving credentials.

However, by default your credentials may not grant you access to the services you intend to use. Be sure when you set up the GCE instance, you add the correct scopes for the APIs you want to access:

For scopes for specific APIs see OAuth 2.0 Scopes for Google APIs