0

I managed to create a service account and a key of itself via the Python API iamcredetials.googleapis.com but I can't log it in since the key is in P12 format and received as a dict, and I can't find the way to log the key in. is there a way to create a p12 file or something so I can use the key?

I tried using the functions available in the oauth2clinet.service_account.ServiceAccountCredentials() module but none of them loads it successfully, I understand there's some grade of deprecation in this library and maybe I'm using obsolete methods.

The closer I was to a successfully log-in was when using the _from_p12_keyfile_contents() function which gave an "encoding routines" error, which is beyond my understanding.

from oauth2client.service_account import ServiceAccountCredentials

from googleapiclient import discovery, errors, logging


default_creds = google_application_defaults()

service = discovery.build("iam", "v1", credentials=default_creds, cache_discovery = False)

key = service.projects().serviceAccounts().keys().create( name = serviceAccMail, body={}).execute()

creds = ServiceAccountCredentials._from_p12_keyfile_contents(accountEmail, newkey["privateKeyData"], "notasecret")

Error: [('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error')]

What's the correct way to log this key in?

user2314737
  • 27,088
  • 20
  • 102
  • 114
Irribarra Cristián
  • 107
  • 13

1 Answers1

2

The PFX (P12) service account format is deprecated. Go back to the Google Console and download the service account credentials in Json format.

Once you have download your credentials in Json format, change your code:

from google.oauth2 import service_account

sa_file = 'full/path/to/service_account.json'

default_creds = service_account.Credentials.from_service_account_file(sa_file)

[Update: The following code will show how to use P12 credentials]

Note: The P12 credentials do not work with all Google APIs (the credential type is different). This example is for the Google Discovery API. This example will not work with google.cloud.storage for example.

'''
Test program to use P12 credentials with Google Cloud Storage
'''
from oauth2client.service_account import ServiceAccountCredentials
import googleapiclient.discovery

# Details on the Google Service Account. The email must match the Google Console.
project_id = 'development-123456'
sa_filename = 'compute-engine.p12'
sa_password = 'notasecret'
sa_email = 'development-123456@developer.gserviceaccount.com'

SCOPES = ["https://www.googleapis.com/auth/cloud-platform"]

cred = ServiceAccountCredentials.from_p12_keyfile(
        sa_email,
        sa_filename,
        private_key_password=sa_password,
        scopes=SCOPES)

client = googleapiclient.discovery.build('storage', 'v1', credentials=cred)

buckets = client.buckets().list(project=project_id).execute()

print('')
print('Listing buckets:')
for bucket in buckets['items']:
    print(bucket['name'])
John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Oh, that is bad. I was hoping I could do all the key management in a automatized script. Is there absolutely no way to create a key with new format? or save the p12 key into a bytes generated file and then load it? – Irribarra Cristián Dec 22 '18 at 23:52
  • Why is that bad? You just issue credentials in the correct format. You can create credentials with `glcloud` or in the console. Most of the Google SDKs no longer support P12 credentials and the APIs for loading P12 credentials that did have been removed. – John Hanley Dec 23 '18 at 00:25
  • @IrribarraCristián - I updated my example to show how to use P12 credentials with the Google Discovery APIs. This might help you. – John Hanley Dec 23 '18 at 04:26
  • Thanks for your clarification. Yet, creating the key within the code is a must for me. Would it work if I used os.system() to call a key creation via gcloud? – Irribarra Cristián Dec 26 '18 at 12:43
  • There are two articles on my blog site that might interest you. The first shows how to convert a P12 file into a Json file. The second shows how to create an access token from json credentials. Neither require or use a Google SDK. https://www.jhanley.com/google-cloud-converting-service-account-credentials-from-p12-to-json-format/ https://www.jhanley.com/google-cloud-creating-oauth-access-tokens-for-rest-api-calls/ – John Hanley Dec 26 '18 at 22:10
  • I have code that creates access tokens from P12 credentials similar to this article for Json credentials https://www.jhanley.com/google-cloud-creating-oauth-access-tokens-for-rest-api-calls/. I might post a new article in the next couple of days that covers using P12 credentials directly. – John Hanley Dec 26 '18 at 22:12