What and how to pass credential using using Python Client Library for gcp compute API

Question

I want to get list of all instances in a project using python google client api google-api-python-client==1.7.11 Am trying to connect using method googleapiclient.discovery.build this method required credentials as argument

I read documentation but did not get crdential format and which credential it requires

Can anyone explain what credentials and how to pass to make gcp connection

Answer 1

According to GCP most recent documentation:

we recommend you use Google Cloud Client Libraries for your application. Google Cloud Client Libraries use a library called Application Default Credentials (ADC) to automatically find your service account credentials

In case you still want to set it manaully, you could, first create a service account and give all necessary permissions:

# A name for the service account you are about to create:
export SERVICE_ACCOUNT_NAME=your-service-account-name

# Create service account:
gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} --display-name="Service Account for ai-platform-samples repo"

# Grant the required roles:
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/ml.developer
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com --role roles/storage.objectAdmin

# Download the service account key and store it in a file specified by GOOGLE_APPLICATION_CREDENTIALS:
gcloud iam service-accounts keys create ${GOOGLE_APPLICATION_CREDENTIALS} --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com

Once it's done check whether the ADC path has been set properly by checking:

echo $GOOGLE_APPLICATION_CREDENTIALS

Having set the ADC path, you don't need to import from code the service access key, which undesirable, so the code looks as follows:

service = googleapiclient.discovery.build(<API>, <version>,cache_discovery=False)

Answer 2

The credentials that you need are called "Service Account JSON Key File". These are created in the Google Cloud Console under IAM & Admin / Service Accounts. Create a service account and download the key file. In the example below this is service-account.json.

Example code that uses a service account:

from googleapiclient import discovery
from google.oauth2 import service_account

scopes = ['https://www.googleapis.com/auth/cloud-platform']
sa_file = 'service-account.json'
zone = 'us-central1-a'
project_id = 'my_project_id' # Project ID, not Project Name

credentials = service_account.Credentials.from_service_account_file(sa_file, scopes=scopes)

# Create the Cloud Compute Engine service object
service = discovery.build('compute', 'v1', credentials=credentials)

request = service.instances().list(project=project_id, zone=zone)
while request is not None:
    response = request.execute()

    for instance in response['items']:
        # TODO: Change code below to process each `instance` resource:
        print(instance)

    request = service.instances().list_next(previous_request=request, previous_response=response)

Answer 3

Application default credentials are provided in Google API client libraries automatically. There you can find example using python, also check this documentation Setting Up Authentication for Server to Server Production Applications.