Google Cloud APIs authenticate from certificate (C#)

0
votes

Google Cloud seems to offer 2 versions of their API client libraries: Google API Client Libraries and Google Cloud Client Libraries. The latter seems to be the successor to the former.

Now, the legacy Google API Client Libraries offered a way to create a ServiceAccountCredential from a certificate via a FromCertificate() method. I can't seem to find a way to do that in the Google Cloud Client Libraries. Seems like the only way to access a Google service using the Google Cloud Client Libraries when you're not running in GCP is to download a service account key (JSON) and store it in a file, then provide that to the libraries via an environment variable.

So, is auth from a certificate for Google Cloud Client Libraries not supported?

1
c#google-cloud-platform
Your question seems to assume there are two different auth libraries - there aren't. You can authenticate in Google Cloud Client Libraries using a ServiceAccountCredential loaded with FromCertificate. See googleapis.github.io/google-cloud-dotnet/docs/…Jon Skeet
Thanks for the comment, Jon. Sorry, I couldn't find where on that page you linked to that it described how you could use a ServiceAccountCredential to log into Google Cloud Client Libraries. I don't see ServiceAccountCredential listed on that page at all.Kevin Wong
No, because it's not SAC-specific - it's any credential. Follow the UserCredential example, just using a ServiceAccountCredential.Jon Skeet
Ah, thx. I'll try that.Kevin Wong
This Cloud Pub/Sub playlist is EXCELLENT! youtube.com/…Bruno Bronosky

1 Answers

2
votes

So, is auth from a certificate for Google Cloud Client Libraries not supported?

Depends on the definition of auth using a certificate. Google Cloud SDKs and respective APIs do not support certificate authorization. The only part of a certificate that Google uses is the private key. The same private key that exists in both P12/PFX certificate files and JSON key files.

The P12/PFX certificate format is legacy and is no longer recommended. The newer JSON key format contains more information which improves items like key lookup during validation. However, the only required item is the private key which is the same for both formats but encoded differently (Binary versus PEM).

Seems like the only way to access a Google service using the Google Cloud Client Libraries when you're not running in GCP is to download a service account key (JSON) and store it in a file, then provide that to the libraries via an environment variable.

I think you are making an incorrect assumption that you can create your own certificate file and use that for authorization. You can only use private keys that are generated by Google Cloud. Therefore you have the same limitation for both P12/PFX certificate files and for JSON key files. You must download both types unless you are using service account impersonation or running on a Google Cloud service that supports the Metadata server for fetching tokens.

Now, the legacy Google API Client Libraries offered a way to create a ServiceAccountCredential from a certificate via a FromCertificate() method. I can't seem to find a way to do that in the Google Cloud Client Libraries.

The libraries support loading service accounts from JSON. You can extract the private key from a P12/PFX certificate, encode in PEM, build the JSON structure and proceed as if you originally had a service account in JSON key format.

On my website are a number of articles about P12 certificate service accounts including converting from P12 to JSON.

My advice is to switch to service accounts in JSON format.