I followed the following documentation by Google to create ML engine and I deployed my online predicator there:
https://cloud.google.com/ml-engine/docs/scikit/quickstart
I know that it's possible to access to the engine by RESTful api as described in below:
https://cloud.google.com/ml-engine/docs/v1/predict-request#request-body
But I want all clients can access the API related to my model without OAuth or any type of authentication. How can I do this?
You can do this by granting modelUser role for that model to allUsers as follows:
gcloud ml-engine models add-iam-policy-binding mymodelname --member allUsers --role roles/ml.modelUser
You have to code your server to do that. You can have your server perform the API calls. Your clients simply access a frontend you designed to provide their parameters and your server makes the actual call. All the quota/charges would be with your API key, but the requests will be done with your Client's parameters.
Related
I have a rest API hosted in Google App Engine. (API lives in a Docker container in the Flexible environment).
I need to support only internal API calls (from another service in the same App Engine Project) and for developer testing be able to call it directly (I don't want user authentication, but I should be able to access it still using the application_default_credentials...I'm just unsure how)
Can you direct me to documentation or examples of how to set this up?
The Google documentation is very lacking.
You have several options, including the following:
The App Engine documentation states that the recommended approach is OAuth for microservices that require authentication.
A second option is to use Cloud Endpoints with service account authentication.
Third, you can use Identity-Aware Proxy to secure the server. Clients can get an identity token from the metadata server.
In the Developer Console UI I cannot edit data as expected with this 'can view' user. However I am able to write to datastore by connecting to our Remote API Servlet on App Engine. From what I can tell, you can only apply an admin security constraint to servlets on App Engine but this still opens it up to all members of the project wether they are an owner, can write or can view. And then I'm guessing the Remote Api uses the default app engine service account which has write permissions.
Is there any way to completely lock an account down to be read only if you also want to use the Google Remote API? Is this not considered a flaw with the Remote API?
This is intended behaviour. Any administrator of the app - no matter in what role - can access the app using the remote api. Remote API does not use the default service account, it is merely a bridge to the datastore API that is tunneled over HTTP.
If you want to lock down to read for a given user, build your own REST Api that provides readonly access.
When employing the Remote API for Java for accessing another application's GAE datastore (as suggested here), do I have to use an admin password (as shown in sample code) or can I use service account credentials instead. Calls to the Remote API should originate in an App Engine Client, so non-password authentication seems to be the (only) sensible choice.
Of course you can! It's as simple as that: RemoteApiOptions.useServiceAccountCredential
PS: You'll have to create a service account and download the key first. You have to grant the "AppEngine Admin"-role to the service account.
I've got a google spreadsheet owned by a GAE service account and I want my GAE Python app to update a cell in one of the rows.
Based on some reading, these are my findings:
the spreadsheets service is old-school. It's a Google Data API and most Google services are now on the Google API platform. For Google API services, one can use a service account to do two-legged oauth2 access, but not for Google Data API services. Oh, it seems one can do two-legged oauth on Google Data API services, but only if the app is on a Google Apps domain (which mine isn't)
I could implement a similar effect (i.e. a user of the app can use data in my spreadsheet and doesn't need to login or authorize in any way) by using my personal account. There's a complicated way that involves me to authorize the app once, store the token and reuse it when a user uses the app. There's another way, which is to use client login (i.e. I embed my personal login and password in the code and use it to authorize the app to access the data in my spreadsheet)
This latter approach seems fairly safe as well, but of course I must be very careful that my source code will not be exposed. The authorization is between the GAE app and the Google Data Spreadsheets API, so the actual user's machine is not involved at all.
My spreadsheet is owned by the service account and shared with my personal account.
Note that my app is also using the Google Drive API (to access some personal Drive files, also shared between me and the GAE service account), so for that it will authorize using the service account.
Can someone confirm that my findings are correct and this approach is sound?
You can use gdata.spreadsheets.client (Google Data API) on the OAuth2 (Google API platform) flow.
https://github.com/HatsuneMiku/googleDriveAccess
It uses 'oauth2client-gdata-bridge'.
I want to implement some form of access control for a REST API implemented in App engine. Is it possible to get the list of GAE Applications that a user has permissions to administer or view in the app engine console. Or whether the user has permissions to administer/view the current application.
Note: the Users API does not work for me because this is a rest server called by another google app not a web service called by a user from the browser. OAuth API seems promising but I was unable to find an OAuth scope or rest endpoint for getting GAE related information.
there is no API that can provide a "list of GAE Applications that a user has permissions to administer." Google Cloud Endpoints on App Engine (Trusted Tester program) may be useful for hosting custom RESTful APIs with user authorization may be useful, read more here: http://endpoints-trusted-tester.appspot.com/
There must be an API as the Google Eclipse plugin is using it.
https://developers.google.com/eclipse/docs/signin?hl=de
But it is not documented.