Authentication

Authentication for API calls is obtained directly from Google Cloud. Two options are implemented in pittgoogle. Complete at least one:

Service Account (Recommended)

These are instructions to create a service account and download a key file that can be used for authentication.

1. Prerequisite: Access to a Google Cloud project.

2. Follow Google’s instructions to create a service account. You will:

   • Create a service account with the Project > Owner role.

   • Download a key file that contains authorization credentials. Keep this file secret!

3. Take note of the path to the key file you downloaded. Then, set both environment variables.

Note

The Project > Owner role gives the service account permission to do anything and everything, within the project. It is the simplest option and allows you to avoid the headache of tracking down “permission denied” errors. However, this role is excessively permissive in essentially all cases. If you want to restrict the permissions granted to the service account, assign a different role(s). A good place to look is: Predefined roles.

OAuth2

These are instructions to complete authentication using OAuth2.

Note

This works, but it’s cumbersome because it’s only partially implemented. Consider using a service account instead.

Requirements

1. You must have a Google account (e.g., Gmail address) that is authorized make API calls through the project that is defined by the GOOGLE_CLOUD_PROJECT environment variable.

2. You must be added to the list of authorized test users, and obtain the client ID and client secret. Contact us. (This is a Google requirement for apps in dev.)

3. You will have to re-authenticate every time you instantiate a new auth or client object.

Authentication Workflow

1. Set environment variables named PITTGOOGLE_OAUTH_CLIENT_ID and PITTGOOGLE_OAUTH_CLIENT_SECRET to values obtained from Pitt-Google broker.

2. Make an API call.

3. The process will hang and ask you to visit a URL to complete authentication. Follow the instructions.

4. Log in with the Google account attached to your project.

5. Authorize the Pitt-Google app to make API calls on your behalf. This only needs to be done once for each API access scope (e.g., Pub/Sub, BigQuery, and Logging).

6. Respond to the prompt on the command line by entering the full URL of the webpage you are redirected to after completing the above.