1

After reading each of these Q&As,

I am still at a loss to know how to enable simple authentication for the AI Platform Predict API that doesn't need any sign-ins or OAuth screens.

My scenario is the following: we have a static website which allows the user to enter some data, the website (client) sends the data to the model for prediction via the API, and when the results come back, the website shows them to the user. We don't want the user to have to sign in or identify themselves in any way. Just input some data, push a button, and get the results.

However, as far as I've been able to search, there is no way of doing this (the documentation on authentication is in my view confusing, there are multiple overlapping articles and it is difficult to determine what applies in a specific case); you have to use some sort of OAuth which makes the user sign in with a Google account.

Is there really no way to have the website itself authenticated but not the individual users? E.g. using an API key or service account key?

If OAuth is the only way, does that mean users who want to use the website must have a Google Account? And how do I enable it: should I create an OAuth Client ID, or is it the OAuth consent screen?

Ismail
  • 1,068
  • 1
  • 6
  • 11
Anakhand
  • 2,838
  • 1
  • 22
  • 50

1 Answers1

1

The recommended practice here is that all the OAuth should happen server-side, where the GCP Service Account JSON key is stored on some backend server.

I am going to answer your question by assuming that your website is hosted on App Engine, but your website could be hosted any where on other GCP products as Cloud Run or any other hosting providers.

  • In backend webserver you can make the AI Platform predict request using Service Account JSON, then you would need to configure your website to talk to this backend.

Website ----HTTP Request to App Engine URL------> App Engine (code---)--------> AI Platform

So the App Engine backend performs the authentication on behalf of the website client, as Lak clarifies here; since the requests will be passing your GCP Service Acount JSON Key, then they gain access to send the specific HTTP requests to their backend server, which makes the AI Platform calls.

In your case, you do not want the users to access your Google data, you simply want provide them access to your own AI Platform model.

Basically you can just use Client Library on server-side and it automatically does OAuth for you, as long as environment variable is set to Service Account key.

Note: You only need to do Google OAuth IF you want access to a person's Google resources (e.g Google Doc, Calendar, GCP project, etc)

Ismail
  • 1,068
  • 1
  • 6
  • 11
  • 1
    Ah, I see, thanks! So the service account should be used from the web backend, using something like `gcloud auth activate-service-account` and then using `gcloud auth print-access-token` as the access token to put in the headers for the AI requests? The problem is the website is hosted on Netlify, which only serves static content but there is no (customizable) backend. Would it be possible to set up a very simple server on App Engine that acts as an intermediary between the web client and the AI platform that responds to requests from the web client and forwards them on, using its service key? – Anakhand Mar 12 '21 at 11:10
  • @Anakhand Setting up a simple server on App Engine is definitely feasible... https://cloud.google.com/appengine/docs/standard/python3/building-app/writing-web-service – Ismail Mar 12 '21 at 15:26
  • If you want a step-by-step solution particular to your use case, open a new thread with all relevant info and I'd be more than happy to provide you an answer there – Ismail Mar 12 '21 at 15:28
  • If you liked my answer, don't forget to accept it :) – Ismail Mar 12 '21 at 15:29