-2

I have 2 GCP projects for which I am trying to perform authentication using C#. Because the projects are belonging to different clients, I am given access to service account json file.

Is there a way to call the Compute engine API in both the projects authenticating using service account json file?

The example code from the Google Cloud client library uses

var credential = GoogleCredential.GetApplicationDefault();

Which loads the path to the Service account key file from GOOGLE_APPLICATION_CREDENTIALS env var. This var is singular. In order for this to work I would need to load two service account JSon key files not just one.

I am resisting mixing the json file as it will a bigger security hole.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
user1258028
  • 27
  • 4
  • 1
    Your question is unclear. There are 2 GCP projects and you have one Service Account for **each** project (i.e. 2 Service Accounts)? Your code will need to use the appropriate Service Account (key) to access the appropriate project. You can't combine keys. You can (!) have one Service Account (and key) that provides access to multiple Projects but it appears that, for security reasons, this is not permitted (which is probably good). – DazWilkin Jan 17 '22 at 21:43
  • Please see "[ask]" and the linked pages and "[MCVE](https://stackoverflow.com/help/minimal-reproducible-example)". We appreciate that you might be new, but we do expect evidence of the effort you've put into this. Where did you search? Why didn't it help? If it did, where is the code you wrote to test what you learned? If you didn't write code, why not? If you did, what is the minimal code that demonstrates the problem you encountered, along with the explanation of the problem, and the minimal input data and the expected result? Without that it's hard to help you. – the Tin Man Jan 18 '22 at 05:13
  • @DazWilkin **for security reasons, this is not permitted** security has nothing to do with it the client library wouldn't be able to load that. The file would be in the wrong format and would not be able to be parsed. – Linda Lawton - DaImTo Jan 18 '22 at 07:43
  • @theTinMan I have edited the question and added a single relevant line of code. Although IMO what they had added was enough to understand the issue. **GOOGLE_APPLICATION_CREDENTIALS** was enough. – Linda Lawton - DaImTo Jan 18 '22 at 07:45
  • @DalmTo presumably (!) "for security reasons", the organization is requiring that different service accounts are used to represent different client projects. There's a difference between technical and organizational requirements. – DazWilkin Jan 18 '22 at 16:51

1 Answers1

1

To help those who do not understand your question (from comments) Here is a clear definition of your problem.

You have two accounts that you wish to connect to. Each account comes with its own Json service account key file. To connect to each of these you will need to create a compute engine service object foreach authorized with the appropriate json key file.

The google Cloud client library for .net uses the following line to load the key file. This line seams to be in all the samples they do not show any other options for loading the key file.

var credential = GoogleCredential.GetApplicationDefault();

This method reads from the GOOGLE_APPLICATION_CREDENTIALS environmental variable set up on the machine. This is only a path to the key file. So if you need two you cant use the env var you need to load them manually with your own env vars or just constants.

Your idea place the json data for both accounts in the same key file wont work as the client library will not be able to parse that.

The solution is to use FromFile and not use GetApplicationDefault which will allow you to supply the path to each of the key files.

// Explicitly use service account credentials by specifying 
// the private key file.
var credentialAccountOne = GoogleCredential.FromFile(jsonPathAccountOne);
var credentialAccountTwo = GoogleCredential.FromFile(jsonPathAccountTwo);
Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449