How to get Google OAUTH Token without using Gcloud Command Line

Question

I am currently using the following code to get the OAUTH Token

command = 'gcloud auth print-access-token'
result = str(subprocess.Popen(command, universal_newlines=True, shell=True, stdout=subprocess.PIPE, 
stderr=subprocess.PIPE).communicate())

The result variable has the OAUTH Token. This technique uses my current logged in gcloud config.

However, I am looking out for a way to get the OAUTH Token without using command line. I am using this OAUTH Token to make CDAP calls to get the Google Dataflow Pipeline Execution Details.

I checked some google blogs. This is the one I think should try but it asks to create consent screen and it will require one time activity to provide consent to the scopes defined and then it should work. Google Document

Shall I follow steps in above document and check OR is there any other way we can get the OAUTH Token? Is there a way to get authentication done by service account instead of google user account and get the OAUTH Token?

Answer 1

For automated process, service account is the recommended way. You can use the google-oauth library for this. You can generate an access token like this

    # With default credential (your user account or the Google Cloud Component service account. 
    # Or with the service account key file defined in the GOOGLE_APPLICATION_CREDENTIALS env var -> for platform outside GCP)
    credentials, project_id = google.auth.default(scopes=["https://www.googleapis.com/auth/cloud-platform"])
    # With service account key file (not recommended)
    # credentials = service_account.Credentials.from_service_account_file('service-account.json',
    #    scopes=["https://www.googleapis.com/auth/cloud-platform"])
    from google.auth.transport import requests
    credentials.refresh(requests.Request())
    print(credentials.token)

However, if you want to call Google cloud APIs, I recommend you to use authorized request object

Here an example of BigQuery call. You can use service account key file to generate your credential as in my previous example.

    base_url = 'https://bigquery.googleapis.com'

    credentials, project_id = google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform'])
    project_id = 'MyProjectId'
    authed_session = AuthorizedSession(credentials)
    response = authed_session.request('GET', f'{base_url}/bigquery/v2/projects/{project_id}/jobs')
    print(response.json())

EDIT

When you want to use Google APIs, a service account key file is not needed (and I recommend you to not use it) on your computer and on GCP component. The Application Default Credential is always sufficient.

• When you are in your local environment, you must run the command gcloud auth application-default login. With this command, you will register your personal account as default credential when you run locally your app. (of course, you need to have your user account email authorized on the component that you call)
• When you are on GCP environment, each component have a default service account (or you can specify one with you configure your component). Thanks to the component "identity", you can use the default credential. (of course, you need to have the service account email authorized on the component that you call)

ONLY when you run an app automatically and outside GCP, you need a service account key file (for example, in your CI/CD other that Cloud Build, or in an app deployed on other Cloud Provider or on premise)

Why service account key file is not recommended? It's at least my recommendation because this file is ..... a file!! That's the problem. You have a way to authenticate a service account in a simple file: you have to store it securely (it's a secret and an authentication method!!), you can copy it, you can send it by email, you can even commit it in a public GIT repository... In addition, Google recommend to rotate them every 90 days, so it's a nightmare to rotate, to trace and to manage