Is it possible to deploy an app to google appengine without it asking everytime for email/password, with a schema like the used by ssh trusted connection (using stored secure keys)?
This is kind of what I was looking for:
https://developers.google.com/appengine/docs/python/tools/uploadinganapp#oauth
basically, you add this parameter to the command line:
appcfg.py --oauth2 update myapp/
and it redirects to a browser, you authenticate there and it stores a token so you don't need to login each time
Related
I want to be able to retrieve emails from a gmail inbox but I cant find a way to properly authenticate in a server environment. Traditional authentication uses this: https://developers.google.com/identity/protocols/oauth2 however I don't have access to a web browser with javascript within a server environment so I cant authenticate. A service account wont work because I wont be able to access inbox of my main email address through it. Thanks.
The best solution I could find is to create the authentication tokens on computer then use a shell script to automate the transfer of the files over ssh onto the server.
If you have the permission to temporarily open a port on the server, then you can use the built-in authentication server:
flow = InstalledAppFlow.from_client_secrets_file(client_secret_file, scopes)
cred = flow.run_local_server(open_browser=False, port=port)
By setting open_browser to False the script is going to print the url to the command line, you can then open the link locally in your web browser and after the successful authentication you Google is going to redirect you with your token to the websever running on your server. You can see this functionality in action in a script I use to sort my email using machine learning.
My question is if I'm using firebase and I also need to do backend stuff, i.e. send an email to the user, register the user in my database. Then I will also need firebase's admin service account set up to verify the user. Now, can I use my own server to run admin service account or does firebase/Google force me to use Google's app engine?
The Firebase Admin SDK can be run on any server that can run the code.
For example, the Admin SDK for Node.js is just a regular node module. This means it can be run on any node environment: your own server, on App Engine Flex/GCE/GKE/etc, or on the serverless Cloud Functions for Firebase. All work equally fine.
When I try to open the google appengine datastore admin tool it redirects me to:
https://ah-builtin-python-bundle-dot-myapp.appspot.com/_ah/login_required?continue=https://ah-builtin-python-bundle-dot-myapp.appspot.com/_ah/datastore_admin%3Fapp_id%3Dmyappid
and gives me a 500 error.
According to this appengine bug report:
https://code.google.com/p/googleappengine/issues/detail?id=10150&q=%22datastore%20admin%22&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log
"This looks to be a problem because you are using non-default authentication scheme.
Are you using user service/Google Accounts API for authentication of users inside your application? If not, consider changing your authentication method.
If you are, then you'll need to setup a custom domain and access the datastore admin via:
https://ah-builtin-python-bundle-dot-
so that the correct authentication cookies can be used."
I'm using simpleauth for authentication and have a custom domain with an ssl certificate.
I would love to be able to backup my datastore data, it's a pretty big risk for my site if I can't!
Any ideas?
Must have been a problem on Googles end, because when I tried again a few months later it magically worked.
I am trying out the tutorial at https://console.cloud.google.com/start/appengine?project=xxxxx.
I am able to launch the app on my machine and browse it at port 8080. However when I click Deploy in the GAE Launcher, the app is deployed to localhost:8080 instead of to Google.
How do I deploy to Google's server?
My developer console is as follows:
I found the cause.
The credentials are stored in the file C:\Users\xxx\.appcfg_oauth2_tokens.
When I did the first deployment attempt, the default browser was already logged into a Google account different from the one that created the app in the Google's developer console, and I absent-mindedly authorized it. As a result, the tokens file contains the wrong credentials.
By deleting the tokens file, I was prompted to log in again and could deploy properly.
I am new to Google Endpoints and Datastore. I've followed several tutorials, among which this one for example: https://github.com/GoogleCloudPlatform/endpoints-codelab-android
My question is: what is the security mechanism that is used when we deploy the Endpoints backend application to Google App Engine? How does Google App Engine know you are the owner of the project? And I have this same question both for deployment through a terminal (See Step 6 of above tutorial) and for deployment through an IDE (e.g. through Maven in Eclipse).
I imagine that somehow the terminal (or the IDE) gets your credentials from the browser, which is logged in to the GAE console but I am not sure at all this is the good explanation.
Thanks! :-)
There are several ways to authenticate when deploying to Google App Engine. The recommended method uses OAuth2 to authenticate with Google (see below for another method). OAuth2 is the method used in the tutorial you mentioned (search for oauth in the link you sent), and is activated by the setting
appcfg {
oauth2 = true
}
in the build.gradle file of that tutorial. If you prefer the command-line appcfg interface, use the flag appcfg --oauth2.
When you installed the Google Cloud SDK, you were shown a web page in which you authorized the SDK to access and modify various Google Cloud services, including App Engine. The SDK locally stores a token which indicates that it is allowed to deploy to App Engine under your username. The oauth2 = true line tells appcfg to request access to App Engine using this token.
If you like, you can view (and revoke) this authorization by navigating to Google's Account Permissions page. You should see an entry for Google Cloud SDK, and clicking on it will show you that the SDK is authorized to access App Engine. If you click on "Revoke", the locally stored token will no longer be valid and you will need to re-authorize in order to use most of the Cloud SDK functionality.
If for some reason you do not want to rely on oauth2 (for example, if for security reasons you want to enter a password every time you deploy), then you can remove the oauth2 = true line (or the --oauth2 command-line argument). This will cause appcfg to prompt for your Google username and password each time you deploy. However, this is a lot less convenient, both because appcfg will not store your password, and because it does not support 2-factor authentication. So, if your Google account uses 2-factor authentication (which is really recommended), you will need to use an App Password with this approach.