Reputation: 31610
GOOGLE_APPLICATION_CREDENTIALS contents not file path
I'm Using the gcp python API.
GOOGLE_APPLICATION_CREDENTIALS environment variable wants the path to a gcp accounts json key.
Is there another variable that can accept the contents of that file instead of the path? This would be convenient.
Upvotes: 10
Views: 10939
Answers (3)
Reputation: 318
According to the google-oauth docs for the service account module, you can create the credentials with one of the helper constructors for a file or also for already loaded json data.
To create credentials using a Google service account private key JSON file:
credentials = service_account.Credentials.from_service_account_file('service-account.json')
Or if you already have the content of the service account file loaded from somewhere:
service_account_info = json.load(open('service_account.json'))
credentials = service_account.Credentials.from_service_account_info(
service_account_info)
Upvotes: 4
Reputation: 906
There is no other variable that can be used instead of the GOOGLE_APPLICATION_CREDENTIALS. Most Google client code use the GOOGLE_APPLICATION_CREDENTIALS environment variable to designate a path to the credentials JSON file to open. And this setup is used to determine the appropriate Service accounts to be used when your application code are deployed to the Google Cloud Platform.
As suggested by red888, alternatively to using the gcp python API, you can use the Python Client Library
Upvotes: 1
Reputation: 3739
I recommend you to not rely on GOOGLE_APPLICATION_CREDENTIALS, but rather use the client libraries to read credentials from the runtime environment. This greatly simplifies key distribution and management, as well as security.
When you create App Engine/GKE/GCE instances, you control which service account is installed to the respective instance's metadata server (it's an option to the create commands). The client libraries will by default look up the credentials there. See this page and this page for relevant documentation regarding the metadata server. Just remember to specify the key when you create your environments, it will by default use the compute service's service account key.
For your localhost environment, you manage the default application credentials with gcloud auth application-default login. The proper way to use service accounts on localhost is not to download the key, but rather grant your user "act as" privileges for the service account. This way your users always only authenticate as themselves, and the service account keys don't have to be distributed to everyone. If someone leave your company, the only secret they've had access to is their own user.
See this page in the documentation for authenticating with Python.
Upvotes: 1
Related Questions
- Unable to Authenticate Application Default Credentials
- Settting up environment variable GOOGLE_APPLICATION_CREDENTIALS
- Druid can not see/read GOOGLE_APPLICATION_CREDENTIALS defined on env path
- Deployment issue after setting GOOGLE_APPLICATION_CREDENTIALS=[PATH]
- GOOGLE_APPLICATION_CREDENTIALS Undefined in Cloud Run Container
- The environment variable "GOOGLE_APPLICATION_CREDENTIALS" in Google machines
- How to pass contents in GOOGLE_APPLICATION_CREDENTIALS rather than file path?
- No GOOGLE_APPLICATION_CREDENTIALS in Cloud Functions deployment
- GOOGLE_APPLICATION_CREDENTIALS not found?
- Unable to read the credential file specified by GOOGLE_APPLICATION_CREDENTIALS