0

To use Google API's, after activating them from the Google Developers Console, one needs to generate credentials. In my case, I have a backend that is supposed to consume the API server side. For this purpose, there is an option to generate what the Google page calls "Key for server applications". So far so good.

The problem is that in order to generate the key, one has to mention IP addresses of servers that would be whitelisted. But GAE has no static IP address that I could use there.

There is an option to manually get the IP's by executing:

dig -t TXT _netblocks.google.com @ns1.google.com

However there is no guarantee that the list is static (further more, it is known to change from time to time), and there is no programatic way I could automate the use of adding IP's that I get from dig into the Google Developers Console.

This leaves me with two choices:

  1. Forget about GAE for this project, ironically, GAE cannot be used as a backend for Google API's (better use Amazon or some other solution for that). or
  2. Program something like a watchdog over the output of the dig command that would notify me if there's a change, and then I would manually update the whitelist (no way I am going to do this - too dangerous), or allow all IP's to use the Google API granted it has my API key. Not the most secure solution but it works.

Is there any other workaround? Can it be that GAE does not support consuming Google API's server side?

orcaman
  • 6,263
  • 8
  • 54
  • 69

2 Answers2

1

You can use App Identity to access Google's API from AppEngine. See: https://developers.google.com/appengine/docs/python/appidentity/. If you setup your app using the cloud console, it should have already added your app's identity with permission to your project, but you can always check that out. From the "Permissions" Tab in cloud console for your project, make sure your service account is added under "Service Accounts" (in the form of your_app_id@appspot.gserviceaccount.com)

Furthermore, if you use something like the JSON API Libs available for python, you can use the bundled oauth2 library to do all of this for you using AppAssertionCredentials to authorize the API you wish to use. See: https://developers.google.com/api-client-library/python/guide/google_app_engine#ServiceAccounts

someone1
  • 3,570
  • 2
  • 22
  • 35
  • Thanks, but it seems that this would not work with all Google API's. For example, I am using the google custom search API, and there is no OAuth2 scope for that (it only supports api key for authentication as far as I can gather). So the App Identity API cannot be used to identify my GAE application after all. Looks like Google does not support using Google's own cloud infrastructure for working with Google API's... pretty absurd IMHO. – orcaman Jun 30 '14 at 23:04
  • Most APIs will work with the OAUTH2 authentication and from AppEngine. However, your original question did not state that you were specifically using the CS API and as such I answered accordingly. This may be one API that you're out of luck. You can try using Compute Engine instead. If you have support with Google you can open a ticket for further advice. – someone1 Jul 02 '14 at 16:34
1

Yes, you should use App Identity. Forget about getting an IP or giving up on GAE :-) Here is an example of how to use Big Query, for example, inside a GAE application:

static {
    // initializes Big Query
    JsonFactory jsonFactory = new JacksonFactory();
    HttpTransport httpTransport = new UrlFetchTransport();
    AppIdentityCredential credential = new AppIdentityCredential(Arrays.asList(Constants.BIGQUERY_SCOPE));
    bigquery = new Bigquery.Builder(httpTransport, jsonFactory, credential)
            .setApplicationName(Constants.APPLICATION_NAME).setHttpRequestInitializer(credential)
            .setBigqueryRequestInitializer(new BigqueryRequestInitializer(Constants.API_KEY)).build();
}
DanielViveiros
  • 179
  • 3
  • Thanks, but it seems that this would not work with all Google API's. For example, I am using the google custom search API, and there is no OAuth2 scope for that (it only supports api key for authentication as far as I can gather). So the App Identity API cannot be used to identify my GAE application after all. Looks like Google does not support using Google's own cloud infrastructure for working with Google API's... pretty absurd IMHO – orcaman Jul 01 '14 at 06:45