9

I am working on Google Cloud Platform and I have to access the cloud functionality using java non-web application like I am trying to store and retrieve the object from Google Cloud Storage using Google Cloud Storage JSON API.

Before accessing those I need to authenticate my application, so I found out authorization API to have authorized access.

When I was trying to get credentials from Google Cloud Platform I end up with three choices of credentials as

  • API Key
  • OAuth Client ID
  • Service account Key

I gone through GCP documentation but not getting clear information that distinguish among those, I am pretty much new to the GCP, so Could you please share any information or blog link that explains these credentials type with sample Java programs that shows how to use the Google Cloud Client Library API.

Improve this question

1 Answer 1

Reset to default
15

Google Cloud Platform's Auth Guide is the definitive resource here: https://cloud.google.com/docs/authentication

Google's various auth mechanisms serve different purposes, so let me explain the ones you asked about, and the right choice for you should become more clear.

API keys provide a way for you to identify which project you are making an API call on behalf of. They're good for limiting requests made on behalf of your project with quotas. An API key is generally not considered secure, as it's typically embedded in client apps and web pages. Because of this, API keys provide no authentication or authorization. If an anonymous user shouldn't be able to make the call, an API key isn't going to be sufficient.

Next up, OAuth. OAuth is a way to turn real, human users with Google accounts into authenticated API calls. You'll use it when you want to do something as yourself, like when you're running an app like gcloud locally, or if you're building a web site that needs to ask humans for permission to do things with Google Cloud on their behalf. This process involves client IDs and secrets and ends with refresh tokens and access tokens. There are a few different flavors.

Finally, service accounts. If your app is running off somewhere by itself and not as any particular human, you should model that by creating a service account for your application. Service accounts are special users that don't have a password. Instead, they have private key files that can be deployed with the app so that they can authenticate as themselves. This is usually what you want unless your app needs to run on behalf of specific users (e.g. a cloud management program like gcloud or gsutil).

The Google Cloud Java library provides a featured called "Application Default Credentials," which eliminates the need to configure auth if your application is running in App Engine or GCE. It can also takes care of auth if you want to run code as yourself on a local machine and have gcloud installed.

Here's an example of a Compute Engine program that creates a GCS bucket:

Storage storage = StorageOptions.getDefaultInstance().getService();
Bucket bucket = storage.create(BucketInfo.of("myBucketName"));

Notice how it doesn't say anything about auth at all. Application default credentials take care of picking the appropriate service account or user. That assumes you are in such an environment, though. If you have a private key .json file, you'd do this instead:

Storage storage = StorageOptions.newBuilder()
    .setProjectId(PROJECT_ID)
    .setCredentials(GoogleCredentials.fromStream(
        new FileInputStream(PATH_TO_JSON_KEY))).build();
Bucket bucket = storage.create(BucketInfo.of("myBucketName"));

And that's it!

Improve this answer
5
  • 1
    thanks for instant reply and making me clear in credential choice!! GoogleCredentials class authenticate user using service account key, so could you please provide API snippet that shows how to use OAuth client id and API key as well, because i need to implement authentication using all these three. please provide google cloud client library API example
    – Vaijnath Polsane
    Commented Apr 26, 2017 at 7:00
  • There are various flavors of OAuth. I'd have to know more about what you wanted your app to do to answer well. There's a general guide to Google OAuth here: developers.google.com/identity/protocols/OAuth2 and a Java library and examples here: developers.google.com/api-client-library/java/…
    – Brandon Yarbrough
    Commented Apr 26, 2017 at 7:25
  • I am developing a simple application that, for seck fetch objects from GCS and process it locally, now i need to give options to use whatever credentials type user wants for authentications like it may be OAuth client ID or Service account key etc. I can use JSON file of service account key for authentication and wants to use Client secret JSON file got from OAuth Client ID. please suggest 'google cloud client library API example'
    – Vaijnath Polsane
    Commented Apr 26, 2017 at 9:17
  • Ah, I see. Here's an example of an OAuth credential flow in Java using the Java OAuth client: github.com/google/google-oauth-java-client/blob/master/samples/…
    – Brandon Yarbrough
    Commented Apr 26, 2017 at 18:38
  • 1
    The last example is missing StorageOptions.getService()
    – oshai
    Commented Oct 7, 2020 at 13:58

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.