Reputation: 71
Google Cloud Service Account VS. End User Account
I am currently learning GCP and need to run a python notebook in a VM Instance. When opening the shell of my VM, I ran the following code:
sudo install python-pip
pip install --upgrade google-api-python-client
pip install --upgrade google-cloud-datastore
gcloud auth application-default login
And then I loaded my python notebook. When running this code to launch the notebook:
python mynotebook.py
I get the following error:
/home/rnby87/.local/lib/python2.7/site-packages/google/auth/_default.py:66: UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK. We recommend that most server applications use service accounts instead. If your application continues to use end user credentials from Cloud SDK, you might receive a "quota exceeded" or "API not enabled" error. For more information about service accounts, see https://cloud.google.com/docs/authentication/warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)
I'm running the python code from the Google Cloud SDK Documentation (https://cloud.google.com/datastore/docs/datastore-api-tutorial)
from google.cloud import datastore
def create_client(project_id):
return datastore.Client(project_id)
Any help is much appreciated! Thank you!
Upvotes: 2
Views: 3836
Answers (1)
Reputation: 81336
For the Google Cloud SDK and the CLI you should be using service account credentials.
Step 1: Create a service account and download
- Login to the Google Cloud Console.
- Go to IAM & admin -> Service accounts
- Click CREATE SERVICE ACCOUNT
- Enter a Service account name and Service account description
- Click CREATE
- In the next screen Service account permissions, select a role.
- Add desired roles.
- Click CONTINUE
- Click Create key
- Check the JSON radio button for the Key type
- Save the json file to your computer.
- Since you are running in a VM, upload to the VM.
Step 2: Configure gcloud and the SDKs to use the service account.
You will need the email address of the service account (which is also stored in the Json file) and the service account file name.
Run this command from a shell in your VM:
gcloud auth activate-service-account SERVICE_ACCOUNT_EMAIL_ADDRESS --key-file=service_account_filename.json
Step 3: Verify that your credentials are working:
gcloud auth list
You should see your service account listed with an asterisk in the left column (which desigates the account account).
Note: Since you are running inside a Google virtual machine (GCE) instance, an advanced user will often use the Compute Engine Default Service Account for credentials. I recommend learning how to use a service account Json file first.
Step 4: Specify the service account
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to your service account json file. This is an example, change the path to your path.
For Linux:
export GOOGLE_APPLICATION_CREDENTIALS="/home/username/[FILE_NAME].json"
For Windows:
set GOOGLE_APPLICATION_CREDENTIALS="c:\Users\username\[FILE_NAME].json"
Step 5: Optionally specify the service account when creating the service client:
from google.cloud import datastore
def create_client(project_id):
return datastore.Client(project_id).from_service_account_json('service_account_filename.json')
Upvotes: 7
Related Questions
- What are the differences between GCP service accounts and user accounts?
- GCP Authentication OAuth vs Service Accounts
- Python API using User Account to use User GCP Services (Storage, Engines, etc)
- What is significant difference in GCP default service account & custom service account?
- Google API user creation with service account
- Difference between Google managed service account and default service account in GCP
- GCP service accounts use case
- Why service account based authentication is preferred over user accounts
- GCP Client vs Cloud API Authentication
- Service accounts inconsistencies