Is there a way to call a Bigquery Rest API using service account? I need to push data from my powerapp to bigquery and I find the only way out is to create a custom connector. But due to org policies I am constrained to use a service account for authentication. I could not figure out a way to create a custom connector that authenticates through a service account. Following is my post on powerapps forum. Any help would be highly appreciated.
https://powerusers.microsoft.com/t5/Connector-Development/Big-query-connector-with-Service-Account-Authentication/m-p/1853380#M1739
Thanks,
Haripriya
Currently I am able to call BQ get api from a sample dataset with personal gmail credentials, but I get authentication error when I try with my org login. It is possibly because my org userId would not have permissions to query the API. I will have to use the service account that has the permissions. But I could not figure a way out to authenticate via a service account.
Related
I have a simple and free Google user account like this: my.name#gmail.com.
Im working with SomeCompany with a billable Google account. This company exposed a bucket to which im supposed to upload someFile.txt. The bucket url looks like this: https://console.cloud.google.com/storage/browser/SomeCompany-multi-44444
or, alternatively gsutil:
gs://SomeCompany-multi-44444
I can access and use this bucket (after auth prompt) from my browser.
Question: Can i access this bucket using API (preferably using Python oauth2client or gcloud) without creating (billable) Service account of my own? How? I fail to understand how to create an API authentication to this bucket without creating a service account which requires credit card. Is there something that SomeCompany have to do in order for me to succeed?
Yes, it's possible and reasonable.
Service accounts and user accounts are all Google identities (as are Groups).
The difference is that service accounts use two-legged auth and have a simpler flow. But, a user account is a valid identity and yours has been authorized to use the bucket.
The difference is that you need to use three-legged auth and exchange your credentials for an access token that you may use to authenticate to the service.
Here's a link to the Python Cloud Client Library section on using 3-legged (User) auth.
I am currently developing a client-side app where users login using e-mail/password against MongoDB Atlas. The backend runs completely serverless.
All logged in users should be able to upload and retrieve images from GCP - Storage bucket without a visible login, which means the application should authenticate for every user on the background.
I was thinking about using Google Service Accounts in combination with auth0, but I don't know where to start...
If someone could help me tell where to start, that would be great :)
The question is difficult to answer. However, here some insights.
The prefered way is to have a serverless backend, AppEngine standard, Cloud Run or Cloud Function for doing this. The user performs its authentication and then exchange security token between the frontend and the backend. When the user want to reach a GCP resource, it asks the backend, which request the request thanks to its own service account.
By the way, it's easy to trace the user request and to serve him only the resources related to it. And you have only 1 service account, for the backend
If you grant access to a bucket to a user, it could download all the files (But maybe there is one bucket per user?). If you chose to limit object access with ACL, the management is complex.
You don't need to have a service account per user (and in any case, you have a quota to 100 service accounts per project), you can use Cloud Identity Platform (CIP) instead of your MongoDB database for authentication (CIP don't perform authorization, you should use MongoDB for authorization and other stuffs related to authenticated user). CIP is Firebase Auth rebranded
I have a desktop application which I want to create a new service account for each user of my application.
Is there any API for creating the service account users on the fly?
Scenario: For each user, I want to give service account, and give this service account the data that this user needs.
The point is that I want to give every user some specific data from Google Cloud, but I want the user to get it directly from Google. I cannot use the user account, because I am not sure he have google account.
You can use the Google Identity and Access Management (IAM) API to programatically create service accounts.
However, creating a service account for each of your application's users is expensive and not scalable. Perhaps your service can have a single service account and then the service can control which of the resources that the user may access.
There is no Google Api that allows you to control projects on Google Developer console. The only thing that comes close is the Google Cloud Resource Manager API which is extremely limited in what it supports. You cant use it to create a service account.
Answer: The only way to create a new service account is to log in and do it though the Google Developers console.
I am trying to access YouTube Reporting API with a service account. But I am getting a 403 forbidden when trying to do youtubeReporting.jobs().list().execute().
YouTube Reporting API clearly supposed Server-to-server interaction.
Do I need to grant access to Youtube Reporting API for a google service account? If so, how?
FYI : I am not using google app domain.
You could create service credentials in the google console, but those credentials won't fix your issue. According to the docs,
The service account flow supports server-to-server interactions that do not access user information. However, the YouTube Reporting API and YouTube Analytics API do not support this flow. Since there is no way to link a Service Account to a YouTube account, attempts to authorize requests with this flow will generate an error.
It is p counter-intuitive-- (not to mention hard to locate)-- this info esp. since conceptually related YT APIs utilize service accounts, see here, and the reporting api actions wouldn't seem to need to be associated w/ a specific user account.
Unfortunately, if you use a service account for the Youtube Reporting API you will still end up with a 403 unauthorized caller error.
Instead, create and use web client google credentials. Store and use the token generated from the flow.
You can do that in the Cloud Platform Console. See https://support.google.com/cloud/answer/6158841?hl=en for details
Referring to the document https://developers.google.com/accounts/docs/OAuth2ServiceAccount, was able to obtain an access-token.The above mentioned document doesn't provide any details regarding the API's that can be accessed using Service Account.Can anyone list the API's which can be accessed using access-token obtained from Google service account?
Unfortunately, we don't have an exhaustive list of the support in this area. In general, you should be able to access a Google API if that API does not require the user to do something in a web interface to configure their account before doing API access. Service Accounts can't log in. So if the service needs some interactive input from a user on a Google wesite, often their APIs will not work with Service Accounts. Hope this helps.