Create Google Cloud Project with Cloud Resource Manager API

0
votes

I'm trying to create a new project in the Google Cloud Platform using the Cloud Resource Manager API. It all works fine when I use it through the API explorer however I don't quite understand how to use it as an http request outside of API Explorer.

I run the request like this:

curl -H "Content-Type: application/json" -X POST -d '{"name": "project example","projectId": "my-project-example-1234"}' https://cloudresourcemanager.googleapis.com/v1/projects?fields=response&key={MY_APY_KEY}

Response:

{
  "error": {
    "code": 401,
    "message": "The request does not have valid authentication credentials.",
    "status": "UNAUTHENTICATED"
  }
}

The documentation says that this request requires an OAuth scope and that's when things get confusing to me. Reading the documentation I could not understand how one of the required OAuth scopes can be passed with the URL when making the http request to the rest API which I'm only assuming is what I'm missing.

2
google-app-enginegoogle-apigoogle-oauthgoogle-cloud-platform
Scopes are passed during OAuth authentication, not subsequent use of the credentials: cloud.google.com/docs/authentication#oauth_scopes and cloud.google.com/resource-manager/docs/authorizing.Alex
I assume the curl requests are just for testing: what is your target language that you want to use? Are you planning on creating the projects on behalf of your end user or are you wanting to create the projects with your own account as the owner?BrettJ
@BrettJ. You get the idea. I'm using Go and I'd create projects on behalf of my end user not the default account like all the examples I could find here.Jose Bagatelli
Go isn't my strong suit, but posted an answer with a cross-link to a sample project that might get you far enough along.BrettJ

2 Answers

3
votes

Rather than just tell you how to test with a working token, I'm going to try to more broadly answer what you're aiming to do.

At a pretty high level, you will need to:

  1. Enable the Resource Manager API for your Cloud Console project.

  2. Create an OAuth client ID for Web applications in the Cloud Console. You will need to register your authorized redirect URI. This is where your app will get the OAuth response back from Google when the end user authorizes your app. Note the client ID, you will need that next.

  3. Start the OAuth flow by assembling your URL:

    https://accounts.google.com/o/oauth2/v2/auth?
response_type=code&
client_id=<123456789example>.apps.googleusercontent.com&
scope=https://www.googleapis.com/auth/cloudplatformprojects&
redirect_uri=http://<YOUR-APP-URL>/<YOUR-OAUTH-HANDLER>

    Replace in that URL the client ID and the redirect URI. I assume you'd have a button or link on your site where you would have the user click to start this flow.

  4. Code your OAuth handler. Some more in-depth code for doing this in Go can be gleaned from this Go Sample, which was originally for G+ sign-in but much of the logic is going to be the same. You are going to get a code query parameter passed to your application, the value is a one-time authorization code that your application must exchange for your OAuth tokens that you use to make API calls on behalf of the user.

  5. If appropriate for your app and situation, securely store your tokens for use later or for processing while your user is not active on your site (might be appropriate for batch processing).

  6. Now that you have an access token, you can pass that to the Resource Manager API and create projects on behalf of the user. You might use the Go client library or you could call the HTTP endpoints directly in your code.

If you want more testing with curl, I'd follow the process that we wrote up accessing the App Engine Admin API. Substitute Admin API URLs and names for Resource Manager and you've got the overall flow. The difference from what's above, is I used a code flow above because I assume you want server-side and possibly refresh tokens if you need to be able to make these API calls while the user is not active on your site.

0
votes

Like Alex says, you ask for scopes during OAuth authentication. One way to easily authenticate and obtain a Oauth access token is doing:

gcloud beta auth application-default login --scopes=https://www.googleapis.com/auth/cloudplatformprojects

As you can see, you can specify the scopes you want to gcloud and it will take care of authentication for you.

Then, you should be able to create a project calling:

curl -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud beta auth application-default print-access-token)" -X POST -d '{"name": "project example","projectId": "my-project-example-1234"}' https://cloudresourcemanager.googleapis.com/v1/projects?fields=response

Here, you are passing the access token obtained when you made Oauth authentication. This should be taken care of by the client libraries for you when you get the application default credentials.