Authentication in Google Cloud Platform

9
votes

I am working on Google Cloud Platform and I have to access the cloud functionality using java non-web application like I am trying to store and retrieve the object from Google Cloud Storage using Google Cloud Storage JSON API.

Before accessing those I need to authenticate my application, so I found out authorization API to have authorized access.

When I was trying to get credentials from Google Cloud Platform I end up with three choices of credentials as

  • API Key
  • OAuth Client ID
  • Service account Key

I gone through GCP documentation but not getting clear information that distinguish among those, I am pretty much new to the GCP, so Could you please share any information or blog link that explains these credentials type with sample Java programs that shows how to use the Google Cloud Client Library API.

1
google-cloud-platformgoogle-cloud-storagegoogle-authentication

1 Answers

13
votes

Google Cloud Platform's Auth Guide is the definitive resource here: https://cloud.google.com/docs/authentication

Google's various auth mechanisms serve different purposes, so let me explain the ones you asked about, and the right choice for you should become more clear.

API keys provide a way for you to identify which project you are making an API call on behalf of. They're good for limiting requests made on behalf of your project with quotas. An API key is generally not considered secure, as it's typically embedded in client apps and web pages. Because of this, API keys provide no authentication or authorization. If an anonymous user shouldn't be able to make the call, an API key isn't going to be sufficient.

Next up, OAuth. OAuth is a way to turn real, human users with Google accounts into authenticated API calls. You'll use it when you want to do something as yourself, like when you're running an app like gcloud locally, or if you're building a web site that needs to ask humans for permission to do things with Google Cloud on their behalf. This process involves client IDs and secrets and ends with refresh tokens and access tokens. There are a few different flavors.

Finally, service accounts. If your app is running off somewhere by itself and not as any particular human, you should model that by creating a service account for your application. Service accounts are special users that don't have a password. Instead, they have private key files that can be deployed with the app so that they can authenticate as themselves. This is usually what you want unless your app needs to run on behalf of specific users (e.g. a cloud management program like gcloud or gsutil).

The Google Cloud Java library provides a featured called "Application Default Credentials," which eliminates the need to configure auth if your application is running in App Engine or GCE. It can also takes care of auth if you want to run code as yourself on a local machine and have gcloud installed.

Here's an example of a Compute Engine program that creates a GCS bucket:

Storage storage = StorageOptions.getDefaultInstance().getService();
Bucket bucket = storage.create(BucketInfo.of("myBucketName"));

Notice how it doesn't say anything about auth at all. Application default credentials take care of picking the appropriate service account or user. That assumes you are in such an environment, though. If you have a private key .json file, you'd do this instead:

Storage storage = StorageOptions.newBuilder()
    .setProjectId(PROJECT_ID)
    .setCredentials(GoogleCredentials.fromStream(
        new FileInputStream(PATH_TO_JSON_KEY))).build();
Bucket bucket = storage.create(BucketInfo.of("myBucketName"));

And that's it!