Authenticate service account without downloaded key on google app engine

Question

I am working on a product that is supposed to be installed in Google App Engine.

In this I am using Service account for authenticating Gmail API, Drive API, Calendar API etc.

Its working fine with downloaded P12 file as authentication. But as its product I don't want client to download and upload on app on every install.

Can there be a way to authenticate it without privatekey file or using that API without service account.

In below page its mentioned that there is System-managed key-pairs are managed automatically by Google. Can it be helpful? I did't find any example of it.

https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys

In below link it suggest that for Google Cloud Platform I should use Google Managed Key https://cloud.google.com/iam/docs/understanding-service-accounts

Can this key used without downloaded file ?

Thanks

Answer 1

I could achieve it by IAM API https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys

Below is Java code for it

AppIdentityCredential credential = new AppIdentityCredential(
                Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
Iam iam = new Iam(httpTRANSPORT, jsonFACTORY, credential);
try {
    Iam.Projects.ServiceAccounts.Keys.Create keyCreate = iam.projects().serviceAccounts().keys()
                    .create("projects/myProject/serviceAccounts/myProject@appspot.gserviceaccount.com", new CreateServiceAccountKeyRequest());

    ServiceAccountKey key = keyCreate.execute();

} catch (IOException e) {
    System.out.println(e.getMessage());
}

Any key can be used to generate GoogleCredential as below

InputStream stream = new ByteArrayInputStream(key.decodePrivateKeyData());
GoogleCredential credential = GoogleCredential.fromStream(stream);