Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Get service account auth token without gcloud?

Tags:

Is it possible to get an authorization bearer token for a Google Cloud service account without the use of gcloud?

That is, I would like to make an HTTP request (presumably signed in some way by my JSON key file) that would provide me the equivalent of

gcloud auth application-default print-access-token 

This request would be made on my own server, where I may not wish to install gcloud and where I do not have access to any internal server metadata that might provide this (e.g., as is the case with Compute Engine).

Is there some oauth endpoint that provides something like this?

Alternately, is there some way to generate long-lived tokens with gcloud?

I'm new to the Google Cloud ecosystem, so excuse my ignorance and terminology...

like image 697
Jacob Brown Avatar asked Nov 01 '17 17:11

Jacob Brown


People also ask

How can I get access token Google API service account?

To begin, obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.

How do I log into Gcloud Auth without a browser?

If you want to authorize the gcloud CLI on a machine that doesn't have a browser and you can install the gcloud CLI on another machine with a browser, use the --no-browser flag. Copy the long command that begins with gcloud auth login --remote-bootstrap=" .


2 Answers

I think that this is exactly what you are looking for:

https://developers.google.com/identity/protocols/OAuth2#serviceaccount

Honestly I don't think that what you were trying to achieve was correct, running

gcloud auth application-default print-access-token 

you get a token that is not intended to do what you were looking for:

"This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials."

This should guide you a bit more in the implementation of this solution: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

like image 115
GalloCedrone Avatar answered Oct 23 '22 08:10

GalloCedrone


Here's what it looks like in golang:

import(     "google.golang.org/api/compute/v1"     "google.golang.org/api/container/v1"     "google.golang.org/api/iterator"     "google.golang.org/api/option"     "google.golang.org/api/transport" ) ctx := context.Background() creds, err := transport.Creds(ctx, option.WithScopes(compute.CloudPlatformScope)) token, err := creds.TokenSource.Token() 
like image 36
Roman Avatar answered Oct 23 '22 07:10

Roman