• Stars
    star
    100
  • Rank 340,703 (Top 7 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple "Hello world" samples for accessing Google Cloud APIs in (node,dotnet,java,golang,python)

Google Cloud Platform API hello world samples

samples provided as-is without warranty

Sample code demonstrating various Auth mechanism for Google Cloud Platform APIs.

Please refer to official documentation for usage and additional samples/usage.

Google Authentication Samples


Application Default Credentials

The samples use Application Default Credentials which uses credentials in the following order as described in the link. Set the environment variable to override.

You can always specify the target source to acquire credentials by using intent specific targets such as: ComputeCredentials, UserCredentials or ServiceAccountCredential.

There are two types of client libraries you can use to connect to Google APIs:

  • Google Cloud Client Libraries
  • Gooogle API Client Libraries << note: this repo now omits this api mechanism (for the most part)

The basic differences is the Cloud Client libraries are idiomatic, has gcloud-based emulators and much easier to use.

It is recommended to use Cloud Client Libraries whereever possible. Although this article primarily describes the API Client libraries, the python code section describes uses of Cloud Client libraries with Google Cloud Storage.

For more information, see

This article also describes how to use IAM's serviceAccountActor role to issue access_tokens, id_tokens and JWT. For more information on that, see auth/tokens/.

The following examples use the Oauth2 service to demonstrate the initialized client using Google API Client Libraries. The first section is about the different client libraries you can use.

For more inforamtion, see:

GoogleLibraries

As described in the introduciton, this section details the two types of libraries you can use to access Google Services:

Google Cloud Client Libraries

These libraries are idomatic, easy to use and even support the gcloud-based emulator framework. This is the recommended library set to use to access Google Cloud APIs.

For more information, see:

The following example describes various ways to initialize a service account to list the Google Cloud Storage buckets the account has access to. It also shows listing the buckets using the default account currently initialized by gcloud.

To use the mechanisms here, you need to initialize gcloud's application defaults:

gcloud auth application-default login

Cloud Python

The following uses the google-storage client described here: Storage Client

virtualenv env
source env/bin/activate
pip install google-cloud-storage

The following lists some of the various mechanisms to acquire credentials:

List buckets using the default account on the current gcloud cli (preferred)

from google.cloud import storage

client = storage.Client()
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using gcloud cli explicit credential and project

from google.cloud import storage
import google.auth

credentials, project = google.auth.default()    
client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using an environment variable and then google.auth.default() credentials.

from google.cloud import storage
import google.auth
impot os

os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "YOUR_JSON_CERT.json"
credentials, project = google.auth.default()
if credentials.requires_scopes:
  credentials = credentials.with_scopes(['https://www.googleapis.com/auth/devstorage.read_write'])
client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using a service_account oauth2 object directly

from google.cloud import storage
import google.auth
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('YOUR_JSON_CERT.json')
if credentials.requires_scopes:
  credentials = credentials.with_scopes(['https://www.googleapis.com/auth/devstorage.read_write'])

client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)

List buckets using the storage client directly loading the certificate:

from google.cloud import storage

client = storage.Client.from_service_account_json("YOUR_JSON_CERT.json")
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)
Iterators

see

  • Logging:
import os
import pprint
from google.cloud import logging

from google.cloud.logging import ASCENDING
from google.cloud.logging import DESCENDING

pp = pprint.PrettyPrinter(indent=1)

FILTER = 'resource.type="gae_app" AND logName="projects/your-project/logs/appengine.googleapis.com%2Frequest_log" AND protoPayload.resource="/"'

client = logging.Client()

iterator = client.list_entries(filter_=FILTER, order_by=DESCENDING)
for page in iterator.pages:
  print('    Page number: %d' % (iterator.page_number,))
  print('  Items in page: %d' % (page.num_items,))
  print('Items remaining: %d' % (page.remaining,))
  print('Next page token: %s' % (iterator.next_page_token,))  
  print('----------------------------')
  for entry in page:
      print(entry.timestamp)
  • Monitoring:
# virtualenv env
# source env/bin/activate
# pip install google-cloud-monitoring==0.30.0

import datetime, time
import pprint
from google.cloud import monitoring_v3
from google.cloud.monitoring_v3.query import Query

client = monitoring_v3.MetricServiceClient()

metric_type = 'serviceruntime.googleapis.com/api/request_count'
resource_type = 'consumed_api'
service = 'logging.googleapis.com'

now = datetime.datetime.utcnow()
fifteen_mins_ago =  now - datetime.timedelta(minutes=15)

q = Query(client, project='YOUR_PROJECT', metric_type=metric_type, minutes=10)
q.select_interval(end_time=now,start_time=fifteen_mins_ago)
q.select_resources(resource_type=resource_type, service=service)

for timeseries in q.iter():
  print()'========== Metric: ')
  #pprint.pprint(timeseries)
  print()'========== Points: ')
  for p in timeseries.points:
   print(repr(p))
   print(str(p.start_time) + ' --> ' + str(p.end_time) + '  : [' +  str(p.value.get('bucketCounts')) + ']')
  print('-----------------')
Using google.auth for GoogleAPIs

The following shows transport authorization for the original Google APIs

import oauth2client
from oauth2client.client import GoogleCredentials
import httplib2

http = httplib2.Http()
credentials = GoogleCredentials.get_application_default()
if credentials.create_scoped_required():
  credentials = credentials.create_scoped(scopes)
http = credentials.authorize(http)

If you need to use the more recent Google Cloud Auth library, you need to cast the transport:

import google.auth
import google_auth_httplib2

scopes = ['https://www.googleapis.com/auth/devstorage.read_write']
credentials, project = google.auth.default(scopes=scopes)
http =  google_auth_httplib2.AuthorizedHttp(credentials)

or preferably init a cloud API:

from google.cloud import storage
import google.auth
from google.oauth2 import service_account
import os

#credentials = service_account.Credentials.from_service_account_file('YOUR_JSON_CERT.json')
#if credentials.requires_scopes:
#  credentials = credentials.with_scopes(['https://www.googleapis.com/auth/devstorage.read_write'])
#client = storage.Client(credentials=credentials)

os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "/path/to/svc_account.json"
credentials, project = google.auth.default()    
client = storage.Client(credentials=credentials)
buckets = client.list_buckets()
for bkt in buckets:
  print(bkt)
Logging_Cloud_python

If you want to enable trace logging with google-cloud-python* library set,

#!/usr/bin/python

from google.cloud import bigquery
from six.moves import http_client

http_client.HTTPConnection.debuglevel = 5

client = bigquery.Client()
query_job = client.query("""
        SELECT timestamp
FROM
 `your-project.gae_request_logs.appengine_googleapis_com_request_log_20161119`
ORDER BY timestamp DESC
LIMIT
 4;""")

results = query_job.result()
for row in results:
        print(row)

Cloud Java

The following describes using java default credentials. You can explictly setCredentials() while initializing a service but that is not recommended as the code is not portable

The various credential types can be found here:

The samples conained within

Shows one sample app that uses both library types. At the time of writing (7/7/18), there is a conflict between the grpc dependencies and google apis.

WHich means, if you use GoogleAPIs, comment out the sections for Cloud API in the pom and .java files:

for Cloud APIs, use:

  • pom.xml
  <dependency>
      <groupId>com.google.cloud</groupId>
      <artifactId>google-cloud-storage</artifactId>
      <version>zzzz</version>
  </dependency>

  <dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>google-cloud-pubsub</artifactId>
    <version>yyyy</version>
  </dependency>
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import com.google.cloud.storage.Blob;
import com.google.cloud.storage.Blob.BlobSourceOption;
import com.google.cloud.storage.BlobId;
import com.google.cloud.storage.BlobInfo;

import com.google.cloud.storage.Storage.SignUrlOption;
import java.util.concurrent.TimeUnit;
import java.net.URL;
import java.util.Iterator;
import java.io.FileInputStream;


//import com.google.auth.oauth2.ServiceAccountCredentials;

// Using Google Cloud APIs with service account file
// You can also just export an export GOOGLE_APPLICATION_CREDENTIALS and use StorageOptions.defaultInstance().service()
// see https://github.com/google/google-auth-library-java#google-auth-library-oauth2-http
/*
Storage storage_service = StorageOptions.newBuilder()
			.setCredentials(ServiceAccountCredentials.fromStream(new FileInputStream("/path/to/your/certificate.json")))
			.build()
			.getService();			
*/

Storage storage_service = StorageOptions.newBuilder()
	.build()
	.getService();
for (Bucket b : storage_service.list().iterateAll()){
  System.out.println(b);
}

// You can also use the client to generate a signed URL:
URL signedUrl = storage_service.signUrl(BlobInfo.newBuilder("your_project", "a.txt").build(), 60,  TimeUnit.SECONDS);
System.out.println(signedUrl);
Proxy Server Settings

see proxy/README.md

Async Futures

see Example

import com.google.iam.v1.GetIamPolicyRequest;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import com.google.iam.v1.Binding;
import com.google.cloud.Role;

    // setup topicadmin client using the bit above
	TopicAdminClient topicClient =
	  TopicAdminClient.create(
		  TopicAdminSettings.newBuilder()
			  .setTransportChannelProvider(channelProvider)
			  .setCredentialsProvider(credentialsProvider)
              .build());

      String formattedResource = TopicName.create("your-project", "saltopic2").toString();

      GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder()
        .setResource(formattedResource)
        .build();
      ApiFuture<Policy> future = topicAdminClient.getIamPolicyCallable().futureCall(request);
      Policy response = future.get();
      System.out.println(response);

Cloud Go

Package cloud.google.com/go/storage

The following shows google.DefaultTokenSource as well as gcloud's Application Default Credentials

import (
        "golang.org/x/net/context"
        "cloud.google.com/go/storage"
        "google.golang.org/api/iterator"
        "google.golang.org/api/option"
        "log"  
)

	ctx := context.Background()
	/*
		tokenSource, err := google.DefaultTokenSource(oauth2.NoContext, storage.ScopeReadOnly)
		if err != nil {
			log.Fatalf("Unable to acquire token source: %v", err)
		}
		storeageClient, err := storage.NewClient(ctx, option.WithTokenSource(tokenSource))
	*/

	storeageClient, err := storage.NewClient(ctx)
	if err != nil {
		log.Fatalf("Unable to acquire storage Client: %v", err)
	}

	it := storeageClient.Buckets(ctx, "your_project")
	for {
		bucketAttrs, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			log.Fatalf("Unable to acquire storage Client: %v", err)
		}
		log.Printf(bucketAttrs.Name)
	}
Adding custom headers
package main


import (
  "context"
  "io/ioutil"
  "log"
  "net/http"

  "cloud.google.com/go/storage"
  "google.golang.org/api/option"
  raw "google.golang.org/api/storage/v1"
  htransport "google.golang.org/api/transport/http"
)

func main() {

  ctx := context.Background()

  // Standard way to initialize client:
  // client, err := storage.NewClient(ctx)
  // if err != nil {
  //      // handle error
  // }

  // Instead, create a custom http.Client.
  base := http.DefaultTransport
  trans, err := htransport.NewTransport(ctx, base, option.WithScopes(raw.DevstorageFullControlScope),
            option.WithUserAgent("custom-user-agent"))
  if err != nil {
            // Handle error.
  }
  c := http.Client{Transport:trans}

  // Add RoundTripper to the created HTTP client.
  c.Transport = withDebugHeader{c.Transport}

  // Supply this client to storage.NewClient
  client, err := storage.NewClient(ctx, option.WithHTTPClient(&c))
  if err != nil {
              // Handle error.
  }

  // Use client...
 }

type withDebugHeader struct {
  rt http.RoundTripper
}

func (wdh withDebugHeader) RoundTrip(r *http.Request) (*http.Response, error) {
  headerName := "X-Custom-Header"
  r.Header.Add(headerName, "value")
  resp, err := wdh.rt.RoundTrip(r)
  if err == nil {
    log.Printf("Resp Header: %+v, ", resp.Header.Get(headerName))
  } else {
    log.Printf("Error: %+v", err)
  }
  return resp, err
}
Exponential Backoff

Cloud libraries implement backoff automatically per service.

Cloud Node

The google-cloud node package initalizes the Cloud API library set:

The sample under auth/compute/nodeapp shows both Cloud APIs and Google APIs

const Storage = require('@google-cloud/storage');
const storage = new Storage({
    projectId: 'your-project',
  });

storage.getBuckets(function(err, buckets) {
  if (!err) {
  	buckets.forEach(function(value){
  			logger.info(value.id);
	});
  }
});

const Pubsub = require('@google-cloud/pubsub');
const pubsub = Pubsub({
    projectId: 'your-project'
  });
  pubsub.getTopics((err, topic) => {
      if (err) {
          logger.error(err);
          return;
      }
      topic.forEach(function(entry) {
      logger.info(entry.name);
      });
  });

Cloud C#

Use Google.Cloud.Storage.V1 package for Google Cloud API access

See auth/service/dotnet for sample for both Cloud APIs and Google APIs libraries.

using Google.Cloud.Storage.V1;

namespace CloudStorageAppGcloud
{
    class Program
    {
        static void Main(string[] args)
        {
            var client = StorageClient.Create();

            foreach (var obj in client.ListObjects("your_project", ""))
            {
                Console.WriteLine(obj.Name);
            }
            Console.ReadLine();
        }
    }
}

gRPC Environment Variables

JWT Access Token

JWT access tokens are efficient way to access certain google apis without the extra round trip to get an access_token. Unlike the normal Oauth service account flow where you

  1. use a local service account to sign a JWT,
  2. Exchange that JWT with google to get an access_token
  3. Use that access_token to make an API call to google

with JWT Access Tokens, all you do is sign a JWT locally with a service account with the intended Service you want to access and then simply send it to the service.

The following links describes this flow:

where these Google APIs will support this:

eg. for PubSub

	// https://github.com/googleapis/googleapis/blob/master/google/pubsub/pubsub.yaml#L6

	ctx := context.Background()
	projectID := "YOUR_PROJECT"
	keyfile := "service_account.json"

	audience := "https://pubsub.googleapis.com/google.pubsub.v1.Publisher"

	keyBytes, err := ioutil.ReadFile(keyfile)
	if err != nil {
		log.Fatalf("Unable to read service account key file  %v", err)
	}
	tokenSource, err := google.JWTAccessTokenSourceFromJSON(keyBytes, audience)
	if err != nil {
		log.Fatalf("Error building JWT access token source: %v", err)
	}
	jwt, err := tokenSource.Token()
	if err != nil {
		log.Fatalf("Unable to generate JWT token: %v", err)
	}
	fmt.Println(jwt.AccessToken)

	pubsubClient, err := pubsub.NewClient(ctx, projectID, option.WithTokenSource(tokenSource))
	if err != nil {
		log.Fatalf("Could not create pubsub Client: %v", err)
	}

Google API Client Library for Python

The following describes the older, non-idomatic libraries. As you can see, its much easier using the idomatic library set.

virtualenv env
source env/bin/activate
pip install --upgrade requests google-api-python-client httplib2 oauth2client

import os
import httplib2
from apiclient.discovery import build
from oauth2client.service_account import ServiceAccountCredentials
from oauth2client.client import GoogleCredentials

scope='https://www.googleapis.com/auth/devstorage.read_only'

#os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "YOUR_JSON_CERT.json"
credentials = GoogleCredentials.get_application_default()
if credentials.create_scoped_required():
  credentials = credentials.create_scoped(scope)
http = httplib2.Http()
credentials.authorize(http)

service = build(serviceName='storage', version= 'v1',http=http)
resp = service.buckets().list(project='YOUR_PROJECT').execute()
for i in resp['items']:
  print(i['name'])

You can also initialize an AuthorizedHttp artifact from google-auth library with discovery:

# http://google-auth.readthedocs.io/en/latest/reference/google.auth.html
# https://github.com/GoogleCloudPlatform/google-auth-library-python-httplib2
import google.auth
import google_auth_httplib2
credentials, project = google.auth.default(scopes=scopes)
http =  google_auth_httplib2.AuthorizedHttp(credentials)

service = build(serviceName='cloudtasks',
  discoveryServiceUrl='https://cloudtasks.googleapis.com/%24discovery/rest?version=v2beta2',
  version= 'v2beta2',http=http)

Google API Python

apt-get install curl python2.7 python-pip
pip install requests google-api-python-client httplib2 oauth2client

ComputeEngine

Under auth/compute/pyapp Runs a simple application on compute engine using Application Default Credentials.

cd auth/compute/pyapp
virtualenv env
source env/bin/activate
pip install -r requirements.txt

python compute.py

Service Account File

Under auth/service/pyapp Runs a simple application that uses the service account credential from both a PKCS12 file and a JSON keyfile. Application Default Credentials uses the JSON keyfile only if the GOOGLE_APPLICATION_CREDENTIALS variable isset

For more details, goto Service Accounts

Userflow

Under auth/userflow/pyapp Runs a simple application that performs user-interactive webflow and propmpts the user for consent. Download an installed app client_secrets.json and reference it for the 'flow_from_clientsecrets()' method.

For more deails, goto flow_from_clientsecrets

The sample also shows the simplified flow with a browser listener (so that you dont' have to type in the code manually):

from google_auth_oauthlib.flow import InstalledAppFlow
flow = InstalledAppFlow.from_client_secrets_file(
    'client_secrets.json',
    scopes=['profile', 'email'])

flow.run_local_server()

client = photos_v1.PhotoServiceClient(credentials=flow.credentials)

Misc

Setting API Key

Example showing how to set the API_KEY.

service = build(serviceName='oauth2', version= 'v2',http=http, developerKey='YOUR_API_KEY')
Logging

Enable verbose wire tracing.

import logging
import httplib2
import sys

logFormatter = logging.Formatter('%(asctime)s - %(name)s - %(message)s')
root = logging.getLogger()
root.setLevel(logging.INFO)           
ch = logging.StreamHandler(sys.stdout)
ch.setLevel(logging.INFO)    
ch.setFormatter(logFormatter)
root.addHandler(ch)
logging.getLogger('oauth2client.client').setLevel(logging.DEBUG)
logging.getLogger('apiclient.discovery').setLevel(logging.DEBUG)

httplib2.debuglevel=3
Credential store

See credential store documentation.

ID Token from Service Account JSON Signed by Google

If you need an id_token issued by Google using your JSON certificate:

THe old way was to run through the full flow manually:

from oauth2client.service_account import ServiceAccountCredentials
credentials = ServiceAccountCredentials.from_json_keyfile_name('YOUR_SERVICE_AcCOUNT.json')
now = int(time.time())
payload = {
        'iat': now,
        'exp': now + credentials.MAX_TOKEN_LIFETIME_SECS,
        'aud': 'https://www.googleapis.com/oauth2/v4/token',
        'iss': 'svc1-001@YOUR_PROJECT.iam.gserviceaccount.com',
        'scope': 'svc1-001@YOUR_PROJECT.iam.gserviceaccount.com'
}
signed_jwt = oauth2client.crypt.make_signed_jwt(credentials._signer, payload, key_id=credentials._private_key_id)
params = urllib.urlencode({
      'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
      'assertion': signed_jwt })
headers = {"Content-Type": "application/x-www-form-urlencoded"}
conn = httplib.HTTPSConnection("www.googleapis.com")
conn.request("POST", "/oauth2/v4/token", params, headers)
res = json.loads(conn.getresponse().read())
print(res)

The new (preferred) way is to use the new ```iamcredentials`` API directly. See id_tokens/README.md

both which Returns JSON with a JWT signed by Google:

{"id_token": "YOUR_ID_TOKEN_SIGNED_BY_GOOGLE"}

Decoded JWT id_token:

{
  "iss": "https://accounts.google.com",
  "aud": "svc1-001@YOUR_PROJECT.iam.gserviceaccount.com",
  "sub": "111402810199779215722",
  "email_verified": true,
  "azp": "svc1-001@YOUR_PROJECT.iam.gserviceaccount.com",
  "email": "svc1-001@YOUR_PROJECT.iam.gserviceaccount.com",
  "iat": 1468897846,
  "exp": 1468901446
}

If you are running the flow directly, if you used 'scope': 'https://www.googleapis.com/auth/userinfo.email', the return fields would include an access_token scoped to userinfo.email for the service account.


Google API Java

Java API Client Library. Most of the samples below uses gradle to build and deploy.

ComputeEngine

Under auth/compute/javaapp. Runs a simple application using both Application DefaultCredentials and ComputeCredential.

mvn exec:java

Service Account File

Under auth/service/javaapp. Runs a simple application using both Application DefaultCredentials and by directly reading in the JSON certificate file. If the GOOGLE_APPLICATION_CREDENTIALS variable is set to point to the JSON file, the applicationDefault profile will also read the JSON file (otherwise, it will attempt to pick up the gcloud credentials)

mvn exec:java

UserFlow

Under auth/userflow/javaapp. Runs a simple webflow application to acquire user consent for GoogleAPIs. This particular userflow launches a browser and listener.

mvn exec:java

Misc

Logging
import java.util.logging.ConsoleHandler;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.logging.SimpleFormatter;

ConsoleHandler consoleHandler = new ConsoleHandler();
consoleHandler.setLevel(Level.ALL);
consoleHandler.setFormatter(new SimpleFormatter());

Logger logger = Logger.getLogger("com.google.api.client");
logger.setLevel(Level.ALL);
logger.addHandler(consoleHandler);  

Logger lh = Logger.getLogger("httpclient.wire.header");
lh.setLevel(Level.ALL);
lh.addHandler(consoleHandler);

Logger lc = Logger.getLogger("httpclient.wire.content");
lc.setLevel(Level.ALL);
lc.addHandler(consoleHandler);

Logger gl = Logger.getLogger("io.grpc");
gl.setLevel(Level.FINE);
gl.addHandler(consoleHandler);
Setting API Key
String API_KEY = "...";
Oauth2 service = new Oauth2.Builder(httpTransport, jsonFactory, credential)
    .setApplicationName("oauth client")
    .setOauth2RequestInitializer(new Oauth2RequestInitializer(API_KEY))    
    .build();
Setting Request Parameter
Oauth2 service = new Oauth2.Builder(httpTransport, jsonFactory, credential)
    .setApplicationName("oauth client")
    .setOauth2RequestInitializer(new Oauth2RequestInitializer(){
        @Override
        public void initializeOauth2Request(Oauth2Request<?> request) {
            request.setPrettyPrint(true);
        }
    })      
    .build();
Credential store

See documentatin on Drive

Exponential Backoff

See ExponentialBackOff

Usign GoogleAPIs:

import com.google.api.client.util.ExponentialBackOff;

final GoogleCredential credential = GoogleCredential.getApplicationDefault(httpTransport,jsonFactory).createScoped(Arrays.asList(Oauth2Scopes.USERINFO_EMAIL));

Oauth2 service = new Oauth2.Builder(httpTransport, jsonFactory, new HttpRequestInitializer() {
                public void initialize(HttpRequest request) throws IOException {
                    request.setContentLoggingLimit(0);
                    request.setCurlLoggingEnabled(false);
                    credential.initialize(request);
                    ExponentialBackOff backoff = new ExponentialBackOff.Builder()
                    .setInitialIntervalMillis(500)
                    .setMaxElapsedTimeMillis(900000)
                    .setMaxIntervalMillis(6000)
                    .setMultiplier(1.5)
                    .setRandomizationFactor(0.5)
                    .build();
                  request.setUnsuccessfulResponseHandler(new HttpBackOffUnsuccessfulResponseHandler(backoff));
                }
            })                  
            .setApplicationName("oauth client")
            .build();

or using Cloud Libraries

import com.google.api.gax.retrying.RetrySettings;

        Storage storage = StorageOptions.newBuilder()
            .setCredentials(myprovider.getCredentials())
            .setRetrySettings(ServiceOptions.getDefaultRetrySettings())
            .build()
            .getService();

Google API Go

DefaultTokenSource

ComputeEngine

Under auth/compute/goapp. Runs a simple application using both Application DefaultCredentials and ComputeTokenSource. To deploy:

Make sure you create a GCE instance with the userinfo.email scope. That will allow the token to be used against the oauth2 endpoint

export GOPATH=`pwd`

go get golang.org/x/oauth2
go get google.golang.org/cloud/compute/...
go get google.golang.org/api/oauth2/v2
go get cloud.google.com/go/compute/metadata


go run src/main.go

Service Account JSON File

Under auth/service/goapp. Runs a simple application using both Application DefaultCredentials and directly reading JWTConfigFromJSON.

The sample also demonstrates both google api clients and google cloud client libraries.

To use:

edit serviceAccountJSONFile := "YOUR_SERVICE_ACCOUNT_JSON_FILE" and set the path to your service account JSON file. After that, you can either explictly use the credential type for service account (JWTConfigFromJSON, or set the environment variable ause ADC)

THis sample also uses the service account to iterate over the Cloud Storage buckets. Make sure the service account has that permissoin

export GOPATH=`pwd`

go get golang.org/x/oauth2
go get google.golang.org/cloud/compute/...
go get google.golang.org/api/oauth2/v2
go get cloud.google.com/go/compute/metadata
go get github.com/googleapis/gax-go
go get o.opencensus.io/trace
go get go.opencensus.io/plugin/ochttp
go get go.opencensus.io/exporter/stackdriver/propagation
go get google.golang.org/grpc

go run src/main.go

UserFlow

Under auth/userflow/goapp. Runs a simple webflow application to acquire user consent for GoogleAPIs. This particular userflow launches a link URL and expects the authorization token to get entered (installed application).

To use, go to the cloud console, "API & Credentials > Credentials", then "Create Credentials > Oauth2 Credentials > Other". Copy the clientID and secret into main.go:

        ClientID:     "YOUR_CLIENT_ID",
        ClientSecret: "YOUR_CLIENT_SECRET",
go get golang.org/x/net/context
go get golang.org/x/oauth2/google
go get google.golang.org/cloud/compute/...
go get google.golang.org/api/oauth2/v2

go run src/main.go

You will see a URL. Copy that URL to a browser, login and then enter the code. This sample runs the "installed application" flow

Misc

Setting API Key
import "google.golang.org/api/googleapi/transport"
apiKey :="YOUR_API_KEY"
client.Transport = &transport.APIKey{
    Key: apiKey,
}
ID Token Signed by Google

see

Validating id_token

Also see

Credential store

See oauth2.ReuseTokenSource

src, err := google.DefaultTokenSource(oauth2.NoContext, oauthsvc.UserinfoEmailScope)
if err != nil {
   log.Fatalf("Unable to acquire token source: %v", err)
}

tok, err := tokenFromFile("credential.token")
src = oauth2.ReuseTokenSource(tok,src)
tokenval, err := src2.Token()
if err != nil {
    log.Fatalf("Token can't be read")
} else {
    log.Printf("token %v\n", tokenval.AccessToken)
}

client := oauth2.NewClient(context.Background(), src)
svc, err := oauthsvc.New(client)
if err != nil {
    log.Fatalf("ERROR: ", err)
}
...
...
func saveToken(file string, token *oauth2.Token) {
    f, err := os.Create(file)
    if err != nil {
        log.Printf("Warning: failed to cache oauth token: %v", err)
        return
    }
    defer f.Close()
    json.NewEncoder(f).Encode(token)
}

func tokenFromFile(file string) (*oauth2.Token, error) {
    f, err := os.Open(file)
    if err != nil {
        return nil, err
    }
    defer f.Close()
    t := new(oauth2.Token)
    err = json.NewDecoder(f).Decode(t)
    return t, err
}
Logging

The follwoing example of trace http logging wraps the Transport around a logging version: LogTransport.

This example also shows how the API_KEY could get constructed although this particular API (oauth2/v2) does not need or expect an api_key.

package main
import (
    "golang.org/x/oauth2"
    "golang.org/x/oauth2/google"    
    "log"   
    oauthsvc "google.golang.org/api/oauth2/v2"
    "google.golang.org/api/googleapi/transport"
    "net/http"
)
const (
    api_key   = "YOUR_API_KEY"
)
func Auth() {
    src, err := google.DefaultTokenSource(oauth2.NoContext, oauthsvc.UserinfoEmailScope)
    if err != nil {
        log.Fatalf("Unable to acquire token source: %v", err)
    }
    transport := &transport.APIKey{
    //  Key:       api_key,
        Transport: &logTransport{http.DefaultTransport},
    }
    client := &http.Client{
        Transport: &oauth2.Transport{
            Source: src,
            Base:   transport,
        },
    }           
    service, err := oauthsvc.New(client)
    if err != nil {
        log.Fatalf("Unable to create oauth2 service client: %v", err)
    }
    ui, err := service.Userinfo.Get().Do()
    if err != nil {
        log.Fatalf("ERROR: ", err)
    }   
    log.Printf("UserInfo: %v", ui.Email)
}

Google API NodeJS

google.auth.getApplicationDefault

ComputeEngine

Runs sample on ComputeEngine. Requires the userinfo scope enabled on the compute engine instance.

npm install
npm start

Service Account JSON File

Under auth/service/nodeapp. Runs a simple application using both Application DefaultCredentials and directly reading JSON KEY file.

UserFlow

Under auth/userflow/nodeapp. Runs a simple webflow application to acquire user consent for GoogleAPIs. This particular userflow provides a link URL and expects the authorization token to get entered (installed application).

Misc

Setting API Key
var service = google.oauth2({
      version: 'v2',
      auth: authClient,
      params: { key: 'YOUR_API_KEY'}
});
Logging
export NODE_DEBUG=request

Google API C#

.NET packages downloadable from NuGet. Full end-to-end example of all the auth modes available here for CloudStorage

The following code snippet demonstrates both google apis and google cloud libraries all in one auth/compute/dotnet:

cd auth/compute/dotnet
dotnet restore
dotnet run

Appengine

GAE Standard does not support .NET as a runtime. However, you can deploy your application to GAE Flex if you run .NET Core on Linux. See the following sample that runs a .NET webapp in Flex: .NET on GCP. Note: Google APIs do not support .NET Core (coreCLR) yet. At the time of writing, they only supports upto .NET Framework 4.5.1. This means you cannot use Google APIs from within a Container. There are some ports to coreCLR but they are not officially supported.

ComputeEngine

Under auth/compute/dotnet. Runs a simple application using both Application DefaultCredentials and ComputeCredential.

dotnet restore
dotnet run

Service Account JSON File

Under auth/service/dotnet. Runs a simple application using both Application DefaultCredentials using a JSON Certificate and by directly reading in the PKCS12 Certificate file. If the GOOGLE_APPLICATION_CREDENTIALS variable is set to point to the JSON file, the applicationDefault profile will also read the JSON file (otherwise, it will attempt to pick up the gcloud credentials).

Edit service/dotnet/ServiceAuth.cs file and set the path to the service account key file. Then,

dotnet restore
dotnet run

UserFlow

Under auth/userflow/dotnet. Runs a simple webflow application to acquire user consent for GoogleAPIs. This particular userflow launches provides a link URL and expects user consent on the browser.

Credential store

Credentials from the GoogleAPIs userflow is usually stored at

Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData));
or c:\Users\%USER%\AppData\Roaming\Google.Apis.Auth

Using API through Proxy

gRPC clients support http_proxy parameter:

See proxy folder for detailed usage.

to use:

docker run  -p 3128:3128 -ti docker.io/salrashid123/squidproxy /bin/bash

then when inside the container:
/apps/squid/sbin/squid -NsY -f /apps/squid.conf.transparent &

tail -f /apps/squid/var/logs/access.log

More Repositories

1

squid_proxy

Multi-mode Squid Proxy container running SSL intercept
Dockerfile
99
star
2

gcegrpc

gRPC client/server running loadbalanced/failover on Google Compute Engine and Google App Engine
Go
79
star
3

istio_helloworld

easy walkthrough of basic istio
JavaScript
75
star
4

envoy_discovery

Envoy Discovery service 'hello world'
Go
64
star
5

envoy_control

Sample Envoy control plane 'hello world'
Go
63
star
6

gce_metadata_server

Simple emulator for the Google Compute Engine Metadata Server
Go
58
star
7

grpc_xds

gRPC xDS Loadbalancing
Go
52
star
8

istio_external_authorization_server

Tutorial to setup a simple Istio external authorization server
Go
51
star
9

google_id_token

Authenticating using Google OpenID Connect Tokens
C
43
star
10

grpc_web_with_gke

gRPC over browser Javascript: Using gRPC-Web on Google Kubernetes Engine Ingress
JavaScript
37
star
11

envoy_external_authz

Envoy External Authorization server (envoy.ext_authz) HelloWorld
Go
34
star
12

tpm2

TPM2 samples with go-tpm and tpm2_tools
Go
32
star
13

flask-gcp-log-groups

Flask logging handler specifically for Google Cloud combined request and app logs
Python
25
star
14

envoy_ext_proc

Envoy External Processing Filter
Go
24
star
15

go-grpc-bazel-docker

Deterministic Bazel build with gRPC + go
Starlark
22
star
16

signer

golang crypto.Signer, crypto.Decrypter for Google Cloud KMS, TPM and PEM file
Go
20
star
17

wasm_http_go

Browser WebAssembly with golang http client
JavaScript
19
star
18

go_tpm_remote_attestation

TPM Remote Attestation protocol using go-tpm and gRPC
Go
19
star
19

go_pkcs11

PKCS 11 Samples in Go using SoftHSM
Go
19
star
20

gcpcompat-oidc

Exchange Generic OIDC Credentials for GCP Credentials using GCP STS Service
Go
18
star
21

envoy_mtls

Sample configuration for HTTP and Network mTLS using envoy yaml
Go
17
star
22

istio_custom_auth_adapter

Custom Istio Mixer Authorization Adapter
Go
17
star
23

grpc_curl

Supporting image/server demonstrating grpc+curl
Python
16
star
24

grpc_health_proxy

HTTP Proxy for gRPC HealthChecks
Go
15
star
25

envoy_ratelimit

Sample Envoy ratelimit 'hello world'
15
star
26

mtls_pkcs11

mTLS with PKCS11 keys
Go
15
star
27

ca_scratchpad

CA and Subordiante CA sample
Go
14
star
28

confidential_space

Constructing Trusted Execution Environment (TEE) with GCP Confidential Space
Go
13
star
29

iam_autorevoke

Time limited, auto-expiring group memberships for users on Google Cloud
Go
13
star
30

terraform-provider-http-full

Terraform HTTP provider with mTLS and JSON POST support
Go
13
star
31

gcpdotnet

Samples running .NET (coreclr) on Google Appengine, Container Engine and Container VM
C#
12
star
32

gcp_iam

Utility functions to troubleshoot for GCP IAM Permissions, Roles and Resources
Go
12
star
33

envoy_iap

Envoy proxy JWT validator for Google Identity Aware proxy and Google ID Tokens
Python
12
star
34

grpc_stats_envoy_istio

gRPC per method observability with envoy and Istio
Go
12
star
35

gcp_impersonated_credentials

Using ImpersonatedCredentials for Google Cloud API and id_tokens
C#
11
star
36

k8s_federation_with_gcp

Using Kubernetes Service Accounts for Google Workload Identity Federation
11
star
37

gcpcompat-aws

Exchange AWS Credentials for GCP Credentials using GCP STS Service
Go
11
star
38

golang-jwt-tpm

Generate and verify JWT tokens with Trusted Platform Module (TPM)
Go
11
star
39

secure_boot

Testing Secure Boot, dm-crypt, fscrypt, dm-verity with QEMU and debian 10.8.0
11
star
40

k8s_webhook_helloworld

Kubernetes Auth/Authz WebHook Hellworld sample
Go
11
star
41

grpc_sslkeylog

Using Wireshark to decrypt TLS gRPC Client-Server protobuf messages
Go
11
star
42

go_tpm_https_embed

TPM based mTLS
Go
10
star
43

gcp_pubsub_message_encryption

Message Payload Encryption in Google Cloud PubSub
Python
10
star
44

bq-udf-protobuf

BigQuery UDF Marshall/Unmarshall Protocolbuffers
JavaScript
10
star
45

envoy_wasm

Envoy WASM with external gRPC server
C++
10
star
46

gcs_post_signedurl_js

Upload/Download files from a browser with GCS Signed URLs and Signed Policy Documents
HTML
9
star
47

gcp_error_handler

Decoding GCP Errors Details
Java
9
star
48

grpc_google_id_tokens

gRPC Authentication using Google id_tokens
Java
9
star
49

google_cloud_directory_sync

Google Cloud Directory Sync with OpenLDAP
9
star
50

composer_gcf

Calling Cloud Composer > GCF > Composer securely
Python
9
star
51

gcp_cc_sev_demo

Google Cloud Confidential Compute AMD SEV Demo
C
8
star
52

workspace_saml_app

Google Workspace as Identity Provider for your SAML Application
Go
8
star
53

gsuites_gcp_graphdb

JanusGraph db representing Gsuites users,groups and GCP serviceAccounts, roles, permissions to resources
Go
8
star
54

kubehelloworld

Kubernetes HelloWorld Services sample
Go
8
star
55

cloud-functions-dotnet

Google Cloud Functions for .NET
C++
8
star
56

gcp_rclone

Rclone Storage bucket sync using Cloud Scheduler and Cloud Run
Go
7
star
57

squid_ssl_bump_gcp

Squid proxy cluster with ssl_bump on Google Cloud
Shell
7
star
58

vault_gcp

Vault auth and secrets on GCP
Go
7
star
59

openssl_trace

OpenSSL 3.0 docker with FIPS and TLS trace enabled
C
7
star
60

grpc_alts

Simple Helloworld of gRPC Application Layer Transport Security on Google Cloud
Go
7
star
61

gcp_tpm_sealed_keys

Sealing RSA and Symmetric keys to TPM PCR values on Google Cloud
Go
7
star
62

go-tpm-wrapping

Go-TPM-Wrapping - Go library for encrypting values through Trusted Platform Module (TPM)
Go
7
star
63

clam_av

Anti Virus file scanning on Google Cloud Storage using ClamAV
Go
7
star
64

request_reason

Request Annotation with Cloud Audit Logging and Monitoring on GCP
Go
7
star
65

cosign_bazel_cloud_build

Deterministic container hashes and container signing using Cosign, Bazel and Google Cloud Build
Starlark
7
star
66

workload_federation_cloudrun_gcf

Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions
Go
7
star
67

iap_endpoints_app

Single Page webapp using GKE, App Engine, Google Cloud Endpoints and Identity Aware Proxy
Python
7
star
68

wasm_homomorphic_encryption

A simple soroban using WebAssembly and Homomorphic Encryption
JavaScript
6
star
69

gcp_cicp_saml

Setting up SAML for Google Cloud Identity for Customers and Partners (CICP)
Python
6
star
70

gcp_tokendistributor

Remote Authorization and TokenDistributor for GCP VMs
Go
6
star
71

envoy_oauth2

Envoy Oauth2 Filter helloworld
Go
6
star
72

iam_bq_dataset

BigQuery Dataset to query IAM Roles-Permissions daily changes
Go
6
star
73

tpm_daemonset

Kubernetes Trusted Platform Module (TPM) DaemonSet
Go
6
star
74

envoy_tap

Envoy TAP filter helloworld
Go
5
star
75

org_policy_audit

Auditing Google Cloud Organization Policy Enforcement using Asset Inventory API and BigQuery
Go
5
star
76

gcs_signedurl

Google Cloud Storage SignedURL with Cloud Run, Cloud Functions and GCE VMs
Go
5
star
77

envoy_grpc_decode

Filtering gRPC Messages using Envoy
Go
5
star
78

envoy_redis

Redis AUTH and mTLS with Envoy
Go
5
star
79

api_gateway_auth

API Gateway -> Cloud Run Auth Helloworld
Go
5
star
80

envoy_rbac

Envoy mTLS and JWT Auth with RBAC
5
star
81

tink_samples

Simple Examples of using Tink Encryption library in Golang
Go
5
star
82

jwt-samples

Samples for raw implementations of JSON WebTokens (JWT) for Google Authentication
C
5
star
83

fhe

Simple RideSharing "helloworld" with Homomorphic Encryption
Go
5
star
84

grpc_wireformat

gRPC Unary requests the hard way: using protorefelect, dynamicpB and wireencoding to send messages
Go
5
star
85

image_file_converter

Simple image file converter using GCP serverless components
Go
4
star
86

googlapps-sso

Script and container demonstrating SAML SSO for google apps domains
Python
4
star
87

docker_daemon_tpm

Docker daemon mTLS with TPM based keys
Go
4
star
88

gpg_gcf

GPG stream encryption and decryption on Google Cloud Functions and Cloud Run
Go
4
star
89

grpc_web_and_transcoding_with_envoy

Simple grpc web and grpc transcoding with Envoy
Go
4
star
90

bq-udf-xml

XML to JSON BigQuery UDF
TypeScript
4
star
91

cloud_run_grpc_auth

Cloud Run authentication with gRPC
Go
4
star
92

tpm2_evp_sign_decrypt

Simple "Helloworld" Sign and Decrypt using tpm2-tss-engine, openssl EVP. Google Cloud Authentication with tpm2
C
4
star
93

dataflow_pubsub_message_encryption

Message Encryption with Dataflow PubSub Stream Processing
Python
4
star
94

stackdriver_istio_helloworld

Samples on using the Stackdriver suite on istio, simplified
Go
4
star
95

quic_curl

QUIC HTTP/3 with nginx, envoy and curl
Go
4
star
96

k8s_grpc_xds

Kubernetes xDS service for gRPC loadbalancing
Go
4
star
97

tls_ak

TPM based TLS using Attested Keys
Go
4
star
98

sts_server

Serverless Security Token Exchange Server(STS) and gRPC STS credentials
Go
4
star
99

golang-jwt-pkcs11

Generate and verify JWT tokens with PKCS-11
Go
3
star
100

bq_cloud_function_golang

Google BigQuery Remote Functions using golang
Go
3
star