Skip to content

Instantly share code, notes, and snippets.

@jbeda

jbeda/gist:3153147

Created July 20, 2012 20:51
Show Gist options
  • Save jbeda/3153147 to your computer and use it in GitHub Desktop.
Save jbeda/3153147 to your computer and use it in GitHub Desktop.
Download ZIP
Management Service -> GCE auth
Raw
gistfile1.md

For a Management Service to talk to Cloud APIs such as GCE, you can use Service Accounts. The blog post introducing these has a lot of pointers.

Option 1: Single Service Account

In this case, the management service would have a single (or handful) of service accounts when talking to Google. This is slightly simpler but results in a single set of credentials between the Management Service and Google for a large number of projects/accounts.

  1. Create an API project at the API console. This will represent the Management Service in the Google world.
  2. Create a 'Service Account' inside of that project. Instructions to do that are here. This Service Account has an email address that can be added to ACLs at Google. It is an expression of code/service into the Google user system. You can think of it as a supported way of creating a GMail account to represent your service. You get 'keys' to the service account in the form of a PKCS #12-formatted private key.
  3. When connecting the Management Service to a GCE project, have the customer add the Management Service's service account email address to their team. It is now a virtual team member.
  4. Get an access token for the service account. You need one access token no matter how many customer projects you are accessing. The same auth token can be used for all projects. Access tokens last for an hour. The tokens are per service account and OAuth2 scopes and can be used across projects. Here are the docs on turning the private key into an time limited OAuth2 access token. If you want some sample code, here is the code in the Google Python API Client.
  5. Call the API with the service account access token. This is as simple as adding an Authorization header on the request. Note that all API access should be done over HTTPS.

Option 2: Service Account per Project

In this case each project has a service account associated with it and hands the credentials off to the Management Service.

  1. Prompt the user to create a service account in their project for the Management Service to use. Users should be aware that any ACLs that this service account has access to will also provide access to the Management Service. Currently there is no way to attach a meaningful name or description to these service accounts. Instructions are here.
  2. Have the customer hand off the private key for that service account to the Management Service. This is, essentially, a very strong password. The Management Service will store this securely with appropriate separation of encryption and key management.
  3. When the Management Service needs to call GCE for a project, they will take this key and get an access token via the JWT token flow. If you want some sample code, here is the code in the Google Python API Client.
  4. The Management Service should cache this access token per client. There are rate limits on generating these tokens and there is a limit to the number that can be outstanding. But it should be possible to just cache these in memory.
  5. Call the API with the service account access token. This is as simple as adding an Authorization header on the request. Note that all API access should be done over HTTPS.

Please let us know if you have any issues and we can help get you going.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment