-1

What is the equivalent rest api calls for these?

gcloud auth activate-service-account --key-file=myvaultkey.json

export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
Espresso
  • 5,378
  • 4
  • 35
  • 66

1 Answers1

2

See Use OAuth2 for Server to Server Applications

You can get gcloud to show underlying REST API calls by appending --log-http to any command.

In this case, some of the work involves updating gcloud's local configuration to use the Service Account but you can ignore that part and focus on creating a JWT and using that to get an access token that you can then use to invoke the API(s).

I encourage you to use one of Google's SDKs rather than do this using the underlying APIs. The documentation page referenced above explains both approaches and you'll see that using a SDK is not only trivial but it provides strong assurance that you're implementing the flow correctly (securely).

DazWilkin
  • 32,823
  • 5
  • 47
  • 88
  • The "corporate" situation that I'm in, restricts only to a vault provided gcpkey.json for a gcp-project. However I need to renew these tokens within a long-running java-application (that would mean using api-call, not using cli, right?). – Espresso Dec 06 '21 at 18:51
  • Interesting question. Yes, I think so. The only alternative would be to script pulling the key from the vault to authenticate `gcloud` with it. It depends on what the corporate policy is but I assume (understandably) they don't want you persisting keys locally. I think you should consider using the SDKs >> REST API calls though. There's probably (I've not used it) a mechanism that supports pulling the key from a vault and passing it onto the SDK *without* persisting it to disk. – DazWilkin Dec 06 '21 at 19:17
  • "without persisting it to disk" -- Thanks for your help. I'll try '--log-http' and see if I can do token-renewal etc, without persisting key to disk. So far I only see sdk relies only on env variable GOOGLE_APPLICATION_CREDENTIALS , GOOGLE_OAUTH_ACCESS_TOKEN ... – Espresso Dec 06 '21 at 19:30
  • There's a facility called Application Default Credentials (or "ADC"). This is very useful. When code is running on a GCP (compute) service, the service is able to obtain ADCs automatically (e.g. from Metadata service on Compute Engine). When code is running off GCP (e.g. locally), ADCs looks for `GOOGLE_APPLICATION_CREDENTIALS` to find the Service Account key. See: https://cloud.google.com/docs/authentication/production You do not need to use ADCs with the SDKs. You can simply reference the location of the key and tell the SDK to obtain credentials that way – DazWilkin Dec 06 '21 at 20:36
  • I assume (but have not tried) that you can combine Google's SDKs with e.g. Hashicorp Vault (and other vaults) such that, your code obtains the key from the vault and then passes it to the SDK's client so that the client can authenticate without having to persist a file to disk. – DazWilkin Dec 06 '21 at 20:37