The App Identity API lets an application discover its application ID (alsocalled theproject ID). Usingthe ID, an App Engine application can assert its identity to other App EngineApps, Google APIs, and third-party applications and services. Theapplication ID can also be used to generate a URL or email address, or to makea run-time decision.

Getting the project ID

The project ID can be found using theapp_identity.get_application_id()method. The WSGI or CGI environment exposessome implementation details, which are handled by the API.

Getting the application hostname

By default, App Engine apps are served from URLs in the formhttps://PROJECT_ID.REGION_ID.r.appspot.com, where the project ID is part of the hostname.If an app is served from a custom domain, it may be necessary to retrieve theentire hostname component. You can do this using theapp_identity.get_default_version_hostname() method.

Asserting identity to other App Engine apps

If you want to determine the identity of the App Engine app that is making arequest to your App Engine app, you can use the request headerX-Appengine-Inbound-Appid. This header is added to the request by the URLFetchservice and is not user modifiable, so it safely indicates the requestingapplication's project ID, if present.

Requirements:

• Only calls made to your app'sappspot.com domain will contain theX-Appengine-Inbound-Appid header. Calls to custom domains do not contain the header.
• Your requests must be set to not follow redirects. Set theurlfetch.fetch()follow_redirects parameter toFalse.

In your application handler, you can check the incoming ID by reading theX-Appengine-Inbound-Appid header and comparing it to a list of IDs allowedto make requests. For example:

importwebapp2classMainPage(webapp2.RequestHandler):allowed_app_ids=["other-app-id","other-app-id-2"]defget(self):incoming_app_id=self.request.headers.get("X-Appengine-Inbound-Appid",None)ifincoming_app_idnotinself.allowed_app_ids:self.abort(403)self.response.write("This is a protected page.")app=webapp2.WSGIApplication([("/",MainPage)],debug=True)

Asserting identity to Google APIs

Google APIs use the OAuth 2.0 protocol forauthentication andauthorization. TheApp Identity API can create OAuth tokens that can be used to assert that thesource of a request is the application itself. Theget_access_token() methodreturns an access token for a scope, or list of scopes. This token can then beset in the HTTP headers of a call to identify the calling application.

importjsonimportloggingfromgoogle.appengine.apiimportapp_identityfromgoogle.appengine.apiimporturlfetchimportwebapp2classMainPage(webapp2.RequestHandler):defget(self):auth_token,_=app_identity.get_access_token("https://www.googleapis.com/auth/cloud-platform")logging.info("Using token{} to represent identity{}".format(auth_token,app_identity.get_service_account_name()))response=urlfetch.fetch("https://www.googleapis.com/storage/v1/b?project={}".format(app_identity.get_application_id()),method=urlfetch.GET,headers={"Authorization":"Bearer{}".format(auth_token)},)ifresponse.status_code!=200:raiseException("Call failed. Status code{}. Body{}".format(response.status_code,response.content))result=json.loads(response.content)self.response.headers["Content-Type"]="application/json"self.response.write(json.dumps(result,indent=2))app=webapp2.WSGIApplication([("/",MainPage)],debug=True)

Note that the application's identity is represented by the service account name, which is typicallyapplicationid@appspot.gserviceaccount.com. You can get the exact value by using theget_service_account_name() method.For services which offer ACLs, you can grant the application access by granting this account access.

Asserting identity to third-party services

The token generated byget_access_token()only works against Google services. However you can use the underlying signing technology to assert the identity of your application to other services. Thesign_blob() methodwill sign bytes using a private key unique to your application, and theget_public_certificates() methodwill return certificates which can be used to validate the signature.

importbase64fromCrypto.HashimportSHA256fromCrypto.PublicKeyimportRSAfromCrypto.SignatureimportPKCS1_v1_5fromCrypto.Util.asn1importDerSequencefromgoogle.appengine.apiimportapp_identityimportwebapp2defverify_signature(data,signature,x509_certificate):"""Verifies a signature using the given x.509 public key certificate."""# PyCrypto 2.6 doesn't support x.509 certificates directly, so we'll need# to extract the public key from it manually.# This code is based on https://github.com/google/oauth2client/blob/master# /oauth2client/_pycrypto_crypt.pypem_lines=x509_certificate.replace(b" ",b"").split()cert_der=base64.urlsafe_b64decode(b"".join(pem_lines[1:-1]))cert_seq=DerSequence()cert_seq.decode(cert_der)tbs_seq=DerSequence()tbs_seq.decode(cert_seq[0])public_key=RSA.importKey(tbs_seq[6])signer=PKCS1_v1_5.new(public_key)digest=SHA256.new(data)returnsigner.verify(digest,signature)defverify_signed_by_app(data,signature):"""Checks the signature and data against all currently valid certificates    for the application."""public_certificates=app_identity.get_public_certificates()forcertinpublic_certificates:ifverify_signature(data,signature,cert.x509_certificate_pem):returnTruereturnFalseclassMainPage(webapp2.RequestHandler):defget(self):message="Hello, world!"signing_key_name,signature=app_identity.sign_blob(message)verified=verify_signed_by_app(message,signature)self.response.content_type="text/plain"self.response.write("Message:{}\n".format(message))self.response.write("Signature:{}\n".format(base64.b64encode(signature)))self.response.write("Verified:{}\n".format(verified))app=webapp2.WSGIApplication([("/",MainPage)],debug=True)

Each application can have one default Cloud Storage bucket, whichincludes5GB of free storage and a free quota for I/O operations.

To get the name of the default bucket,you can use the App Identity API. Callgoogle.appengine.api.app_identity.app_identity.get_default_gcs_bucket_name.