If I create custom service account with limited permissions, can I set this new service account to be the Application Default Credential?
By default inside app engine there is environment variable GOOGLE_APPLICATION_CREDENTIALS, that is set to the (ADC), which is the default service account credentials. Can I modify this?
I am aware that I can set this environment variable to point to my custom service account credentials file locally, but I do not see a clear way to do this in app engine.
ADC is not a credential. ADC is a method of finding credentials.
Google Cloud Application Default Credentials
App Engine Standard uses one default service account per project. All App Engine Standard services in a project use the same service account. You can modify the default service account but you cannot change the default service account to use a different service account (as you can with Compute Engine).
If you decide to create a new service account for usage within your application, do not store the service account in your application. This means forget about GOOGLE_APPLICATION_CREDENTIALS. Instead, store the service account in Google Secret Manager (better) or Google Cloud Storage (OK with the right permissions). Load the service account JSON data during application startup.
Google Secret Manager
Related
I am following this tutorial to use Google Cloud Storage from my AppEngine application. Older storage libraries are working fine, but after migrating to Google Cloud Java Libraries, I can't read my buckets anymore.
This is the tutorial I am following: https://github.com/googleapis/java-storage
In which the key part is the usage of Application Default Credentials: https://github.com/googleapis/java-storage#creating-an-authorized-service-object
To make authenticated requests to Google Cloud Storage, you must create a service object with credentials. You can then make API calls by calling methods on the Storage service object. The simplest way to authenticate is to use Application Default Credentials. These credentials are automatically inferred from your environment, so you only need the following code to create your service object:
Storage storage = StorageOptions.getDefaultInstance().getService();
I hope to be able to do this because this is running inside AppEngine, so Storage lives in the same project as the AppEngine code.
I am using the default service account. This service account has "owner" role in IAM configuration, and "storage object administrator" in the bucket itself.
However, I keep getting this login error:
com.google.cloud.storage.StorageException: Anonymous caller does not have storage.buckets.get access to the Google Cloud Storage bucket.
at com.google.cloud.storage.StorageException.translate(StorageException.java:118)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.translate(HttpStorageRpc.java:287)
at com.google.cloud.storage.spi.v1.HttpStorageRpc.get(HttpStorageRpc.java:479)
at com.google.cloud.storage.StorageImpl.lambda$get$4(StorageImpl.java:270)
at com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
at com.google.cloud.RetryHelper.run(RetryHelper.java:76)
at com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
at com.google.cloud.storage.Retrying.run(Retrying.java:54)
at com.google.cloud.storage.StorageImpl.run(StorageImpl.java:1406)
at com.google.cloud.storage.StorageImpl.get(StorageImpl.java:269)
Probably I am missing some configuration or IAM access. Thank you in advance.
I created a service account to use Gooogle Drive API's to store and retrieve data in the Drive. I used PyDrive Package to make this process simpler. The problem is the data gets stored in the service account, is there a way to store it in my user account? The service account only offers 15GB storage space, so it would be nice to store it in my User account.
PyDrive can be used to directly same to my user account but it requires a human intervention for authorization. This is not feasible since a cron job is used to store the files.
Any answers are welcome, thanks in advance!
It is not possible to use the "user account" storage for regular accounts. In the Google documentation they mention:
"Typically, an application uses a service account when the application uses Google APIs to work with its own data rather than a user's data. For example, an application that uses Google Cloud Datastore for data persistence would use a service account to authenticate its calls to the Google Cloud Datastore API.
G Suite domain administrators can also grant service accounts domain-wide authority to access user data on behalf of users in the domain."
I have setup a compute engine instance for centralised maintenance and updating of App Engine Flex instances. One reason for this is to keep the database and other credentials inside the Google Project and not to store them on local development machines.
When I am trying to flex deploy with
gcloud app deploy
I get an error
ERROR: (gcloud.beta.app.deploy) Permissions error fetching application [<project here>]. Please make sure you are using the correct project ID and that you have permission to view applications on the project.
Service account is default compute engine account and I have enabled Editor role for it in the IAM. I also tried enabling all App Engine roles but it did not change the situation.
Is there a way to make deployments from Compute Engine and if so what would be the correct credentials or am I missing some steps here?
I created a new Compute Engine Instance and tried issuing the same command as you are running. I also encountered the same issue. Here is how I've managed to resolve it.
1) Stop the instance
2) Navigate to IAM > Service Accounts > Create Service Account
3) Create a new service account and ensure you add roles for 'App Engine Admin'or 'App Engine Deployer' in addition to 'Storage Admin', 'Project Editor' and 'Cloud Container Builder Editor' to the service account. So in total you should have a minimum of 4 roles assigned to the service account, plus any other roles you think you may need for your application.
4) Edit the stopped instance (from step 1) and change the service account to the new service account you created.
When you restart the instance you should now have the correct permissions/roles to deploy your App Engine Flex App from the instance.
There was an authorisation issue because the Compute Engine default service account isn't assigned the roles required for deploying applications to App Engine flex, as various APIs are utilised in this process. By assigning the roles required for App Engine Flex deployments to a new service account, and then adding the service account to the instance, the instance then has the required authorisation to interact with other GCP APIs needed for App Engine Flex deployments.
When employing the Remote API for Java for accessing another application's GAE datastore (as suggested here), do I have to use an admin password (as shown in sample code) or can I use service account credentials instead. Calls to the Remote API should originate in an App Engine Client, so non-password authentication seems to be the (only) sensible choice.
Of course you can! It's as simple as that: RemoteApiOptions.useServiceAccountCredential
PS: You'll have to create a service account and download the key first. You have to grant the "AppEngine Admin"-role to the service account.
In Google App Engine, you can create User objects with any email adress. These accounts will just not be conected with a google account. Is there a way to set the current user to such a user, without rolling my own session management, or using sessions from webapp2?
App Engine Users API support Google Account or OpenID identifier.
If you need something different you have to implement users management yourself (or using a third party library like webapp2.extras)