As of January 1, 2020 this library no longer supports Python 2 on the latest released version. Library versions released prior to that date will continue to be available. For more information please visitPython 2 support on Google Cloud.

Authentication¶

Overview¶

For a language agnostic overview of authentication on Google Cloud, seeAuthentication Overview.

If you’re running in a Google Virtual Machine Environment (Compute Engine, App Engine, Cloud Run, Cloud Functions),authentication should “just work”.
If you’re developing locally,the easiest way to authenticate is using theGoogle Cloud SDK:
```
$gcloudauthapplication-defaultlogin
```
Note that this command generates credentials for client libraries. To authenticate the CLI itself, use:
```
$gcloudauthlogin
```
Previously,gcloudauthlogin was used for both use cases. Ifyourgcloud installation does not support the new command,please update it:
```
$gcloudcomponentsupdate
```

If you’re running your application elsewhere,you should download aservice account JSON keyfileand point to it using an environment variable:
```
$exportGOOGLE_APPLICATION_CREDENTIALS="/path/to/keyfile.json"
```

Client-Provided Authentication¶

Every package uses aClientas a base for interacting with an API.For example:

fromgoogle.cloudimportdatastoreclient=datastore.Client()

Passing no arguments at all will “just work” if you’ve followed theinstructions in theOverview.The credentials are inferred from your local environment by usingGoogleApplication Default Credentials.

Credential Discovery Precedence¶

When loading theApplication Default Credentials,the library will check for credentials in your environment by following theprecedence outlined bygoogle.auth.default().

Explicit Credentials¶

The Application Default Credentials discussed above can be usefulif your code needs to run in many different environments orif you just don’t want authentication to be a focus in your code.

However, you may want to be explicit because

your code will only run in one place
you may have code which needs to be run as a specific service accountevery time (rather than with the locally inferred credentials)
you may want to use two separate accounts to simultaneously access datafrom different projects

In these situations, you can create an explicitCredentials object suited to your environment.After creation, you can pass it directly to aClient:

client=Client(credentials=credentials)

Tip

To create a credentials object, follow thegoogle-auth-guide.

Google Compute Engine Environment¶

These credentials are used in Google Virtual Machine Environments.This includes most App Engine runtimes, Compute Engine, CloudFunctions, and Cloud Run.

To createcredentials:

fromgoogle.authimportcompute_enginecredentials=compute_engine.Credentials()

Service Accounts¶

Aservice account is stored in a JSON keyfile.

fromgoogle.oauth2importservice_accountcredentials=service_account.Credentials.from_service_account_file('/path/to/key.json')

A JSON string or dictionary:

importjsonfromgoogle.oauth2importservice_accountjson_account_info=json.loads(...)# convert JSON to dictionarycredentials=service_account.Credentials.from_service_account_info(json_account_info)

Tip

Previously the Google Cloud Console would issue a PKCS12/P12 key for yourservice account. This library does not support that key format. You cangenerate a new JSON key for the same service account from the console.

User Accounts (3-legged OAuth 2.0) with a refresh token¶

The majority of cases are intended to authenticate machines orworkers rather than actual user accounts. However, it’s alsopossible to call Google Cloud APIs with a user account viaOAuth 2.0.

Tip

A production application shoulduse a service account,but you may wish to use your own personal user account when firstgetting started with thegoogle-cloud-* library.

The simplest way to use credentials from a user account is viaApplication Default Credentials usinggcloudauthapplication-defaultlogin(as mentioned above) andgoogle.auth.default():

importgoogle.authcredentials,project=google.auth.default()

This will still follow theprecedencedescribed above,so be sure none of the other possible environments conflictwith your user provided credentials.

Troubleshooting¶

Setting up a Service Account¶

If your application is not running on a Google Virtual Machine Environment,you need a Service Account. SeeCreating a Service Account.

Using Google Compute Engine¶

If your code is running on Google Compute Engine,using the inferred GoogleApplication Default Credentialswill be sufficient for retrieving credentials.

However, by default your credentials may not grant youaccess to the services you intend to use.Be sure when youset up the GCE instance,you add the correct scopes for the APIs you want to access:

All APIs
- https://www.googleapis.com/auth/cloud-platform
- https://www.googleapis.com/auth/cloud-platform.read-only

For scopes for specific APIs seeOAuth 2.0 Scopes for Google APIs

Movatterモバイル変換