Is it possible to identify the user whose credentials are used to call the Google Cloud API?

Question

Question:

Is there a Google Cloud API call I can use to identify the user whose credentials are being used to call the Google Cloud API?

Details:

My objective is to dynamically provision an SSH key to an EC2 Instance for one-time use, so I'm editing a Compute Instance's ssh-key metadata to include the public portion of the SSH key on the fly. GCloud requires that I include a username when specifying the SSH key, and I'd like to use the name of the user whose credentials are being used to add the SSH key via the Google Cloud API.

Looking at the IAM API, and Compute Engine API, I don't see any API calls that I can make to identify the currently calling user. In AWS, I have https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html, which does exactly what I want.

Does Google Cloud's API support this feature? Or is there some other hack I could use?

Update: I discovered that in fact, I don't need this feature to accomplish my use case! The "username" GCP asks for is the Linux user I'll use to SSH into the Compute Instance, not the GCP user.

Answer 1

You can use Google's tokeninfo end point to return information about the current authenticated user. An example in Python is shown below. The "id tokens" that Google users are actually JWTs, which are base64-encoded JSON payloads, separated by ".". You can also parse those directly to get the identity, without needing a remote call. For more information, see Google's tokeninfo documentation.

import google.auth.transport.requests
import requests
credentials, project_id = google.auth.default()
credentials.refresh(google.auth.transport.requests.Request())
print('project id:', project_id)
print('id token:', credentials.id_token)
response = requests.get('https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=' + credentials.id_token)
print('tokeninfo:')
print(response.text)