@@ -6,7 +6,11 @@ Authentication
66Overview
77========
88
9- * **If you're running in Compute Engine or App Engine **,
9+ For a language agnostic overview of authentication on Google Cloud, see `Authentication Overview `_.
10+
11+ .. _Authentication Overview : https://cloud.google.com/docs/authentication
12+
13+ * **If you're running in a Google Virtual Machine Environment (Compute Engine, App Engine, Cloud Run, Cloud Functions) **,
1014 authentication should "just work".
1115
1216* **If you're developing locally **,
@@ -41,7 +45,7 @@ Overview
4145
4246 $ export GOOGLE_APPLICATION_CREDENTIALS=" /path/to/keyfile.json"
4347
44- service account : https://cloud.google.com/storage /docs/authentication#generating-a-private-key
48+ service account : https://cloud.google.com/iam /docs/creating-managing-service-accounts#creating
4549
4650Client-Provided Authentication
4751==============================
@@ -97,11 +101,17 @@ After creation, you can pass it directly to a :class:`Client <google.cloud.clien
97101tip ::
98102 To create a credentials object, follow the `google-auth-guide `_.
99103
100- .. _google-auth-guide : https://google-auth.readthedocs.io/en/latest/user-guide.html#service-account-private-key-files
104+ .. _google-auth-guide : https://googleapis.dev/python/google-auth/latest/user-guide.html#service-account-private-key-files
105+
101106
107+ Google App Engine Standard First Generation Environment
108+ -------------------------------------------------------
109+
110+ These credentials are used only in the legacy Python 2.7
111+ `First Generation Standard Environment `_. All other App Engine
112+ runtimes use Compute Engine credentials.
102113
103- Google App Engine Environment
104- -----------------------------
114+ .. _First Generation Standard Environment : https://cloud.google.com/appengine/docs/standard/runtimes
105115
106116To create
107117:class: `credentials <google.auth.app_engine.Credentials> `
@@ -115,9 +125,12 @@ just for Google App Engine:
115125
116126---------------------------------
117127
128+ These credentials are used in Google Virtual Machine Environments.
129+ This includes most App Engine runtimes, Compute Engine, Cloud
130+ Functions, and Cloud Run.
131+
118132To create
119- :class: `credentials <google.auth.compute_engine.Credentials> `
120- just for Google Compute Engine:
133+ :class: `credentials <google.auth.compute_engine.Credentials> `:
121134
122135.. code :: python
123136
@@ -129,16 +142,24 @@ Service Accounts
129142
130143A `service account `_ is stored in a JSON keyfile.
131144
132- The
133- :meth: `from_service_account_json() <google.cloud.client.Client.from_service_account_json> `
134- factory can be used to create a :class: `Client <google.cloud.client.Client> ` with
135- service account credentials.
145+ .. code :: python
146+
147+ from google.oauth2 import service_account
148+
149+ credentials = service_account.Credentials.from_service_account_file(
150+ ' /path/to/key.json'
136151
137- For example, with a JSON keyfile :
152+ A JSON string or dictionary :
138153
139154.. code :: python
140155
141- client = Client.from_service_account_json(' /path/to/keyfile.json'
156+ import json
157+
158+ from google.oauth2 import service_account
159+
160+ json_account_info = json.loads(... ) # convert JSON to dictionary
161+ credentials = service_account.Credentials.from_service_account_info(
162+ json_account_info)
142163
143164tip ::
144165
@@ -160,7 +181,7 @@ possible to call Google Cloud APIs with a user account via
160181
161182 A production application should **use a service account **,
162183 but you may wish to use your own personal user account when first
163- getting started with the ``google-cloud-python `` library.
184+ getting started with the ``google-cloud-* `` library.
164185
165186The simplest way to use credentials from a user account is via
166187Application Default Credentials using ``gcloud auth login ``
@@ -183,67 +204,10 @@ Troubleshooting
183204Setting up a Service Account
184205----------------------------
185206
186- If your application is not running on Google Compute Engine,
187- you need a `Google Developers Service Account `_.
188-
189- #. Visit the `Google Developers Console `_.
190-
191- #. Create a new project or click on an existing project.
192-
193- #. Navigate to **APIs & auth ** > **APIs ** and enable the APIs
194- that your application requires.
195-
196- .. raw :: html
197-
198- <img src =" https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/enable-apis.png"
199-
200- .. note ::
201-
202- You may need to enable billing in order to use these services.
203-
204- * **BigQuery **
205-
206- * BigQuery API
207-
208- * **Datastore **
209-
210- * Google Cloud Datastore API
207+ If your application is not running on a Google Virtual Machine Environment,
208+ you need a Service Account. See `Creating a Service Account `_.
211209
212- * **Pub/Sub **
213-
214- * Google Cloud Pub/Sub
215-
216- * **Storage **
217-
218- * Google Cloud Storage
219- * Google Cloud Storage JSON API
220-
221- #. Navigate to **APIs & auth ** > **Credentials **.
222-
223- You should see a screen like one of the following:
224-
225- .. raw :: html
226-
227- <img src =" https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/create-new-service-account.png"
228-
229- .. raw :: html
230-
231- <img src =" https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/create-new-service-account-existing-keys.png"
232-
233- Find the "Add credentials" drop down and select "Service account" to be
234- guided through downloading a new JSON keyfile.
235-
236- If you want to re-use an existing service account,
237- you can easily generate a new keyfile.
238- Just select the account you wish to re-use,
239- and click **Generate new JSON key **:
240-
241- .. raw :: html
242-
243- <img src =" https://raw.githubusercontent.com/GoogleCloudPlatform/google-cloud-common/master/authentication/reuse-service-account.png"
244-
245- .. _Google Developers Console : https://console.developers.google.com/project
246- .. _Google Developers Service Account : https://developers.google.com/accounts/docs/OAuth2ServiceAccount
210+ .. _Creating a Service Account : https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating
247211
248212Using Google Compute Engine
249213---------------------------
@@ -262,24 +226,7 @@ you add the correct scopes for the APIs you want to access:
262226 * ``https://www.googleapis.com/auth/cloud-platform ``
263227 * ``https://www.googleapis.com/auth/cloud-platform.read-only ``
264228
265- * **BigQuery **
266-
267- * ``https://www.googleapis.com/auth/bigquery ``
268- * ``https://www.googleapis.com/auth/bigquery.insertdata ``
269-
270- * **Datastore **
271-
272- * ``https://www.googleapis.com/auth/datastore ``
273- * ``https://www.googleapis.com/auth/userinfo.email ``
274-
275- * **Pub/Sub **
276-
277- * ``https://www.googleapis.com/auth/pubsub ``
278-
279- * **Storage **
280-
281- * ``https://www.googleapis.com/auth/devstorage.full_control ``
282- * ``https://www.googleapis.com/auth/devstorage.read_only ``
283- * ``https://www.googleapis.com/auth/devstorage.read_write ``
229+ For scopes for specific APIs see `OAuth 2.0 Scopes for Google APIs `_
284230
285231.. _set up the GCE instance : https://cloud.google.com/compute/docs/authentication#using
232+ .. _OAuth 2.0 Scopes for Google APIS : https://developers.google.com/identity/protocols/oauth2/scopes
0 commit comments