Im not sure how I can usemy service account and Dialogflow API key to get an API token using OAuth2 to get an access token for google. Could someone share a code snippet
I want to access this API: https://cloud.google.com/dialogflow/es/docs/reference/rest/v2/projects.agent.entityTypes/list
In order to use the Dialogflow API (in this case, list all the entity types in the specified agent) you have to:
Enable the Dialogflow API for your project
Go to the Create service account key page. From the Service account list, select New service account, enter a name in the Service account name field.
From the Role list, select Project > Owner.
Click Create. A JSON file that contains your key downloads to your computer.
Once you have the JSON file, you need to set an environment variable in a shell session GOOGLE_APPLICATION_CREDENTIALS="/path/to/key.json".
You can access the API via REST, gRPC or a client library. In this repository, there are some samples with the python client library.
Related
On a server firestore admin is accessed using python:
import firebase_admin
from firebase_admin import credentials, firestore
cred = credentials.Certificate('myfile.json')
myfile.json has been added to a git repo so now I'm wondering if there is a way to revoke it and create a new one?
Following firebase tutorials it's supposed to be a service account, however there is no old service account on google cloud to revoke.
myfile.json was created months ago so there is no way to know how it was created (as when doing anything with firebase/google cloud you have to jump around to multiple guides all over the place, out of the blue knowing all kinds of things to make any progress whatsoever).
Edit:
The reason I didn't find the service account was because google cloud had selected a project that had a similar name as the firebase project.
If you look at the contents of myfile.json, notice three fields: project_id, client_email and private_key_id
These fields tell you the Project ID that the credentials created in, the name of the service account (client_email) and the Key ID.
With that information, you can go to the Google Cloud Console. Log in and select your Project (if you manage more than one Project). Go to IAM -> Service Accounts and find the service account by the client_email. Then disable or delete the service account.
There are more advanced things that you can do such as disable a key and create another one (key rotation), but since the Service Account Key JSON file has been leaked, I would delete the service account and create a new one.
I have developed a Google Cloud Function (GCF) in python, which i want to access from a web service deployed on AWS (written in python). While in the development phase of the GCF, It had Cloud Function Invoker permission set to allUsers. I assume that is why it didn't ask for an Authorization Token when called.
I want to revoke this public access and make it so that i can only call this function from the web service code and it is not accessible public-ally.
Possible Approach :In my research i have found out that this can be done using the following steps:
Removing all the unnecessary members who have permissions to the GCF.
Creating a new service account which has restricted access to only use GCF.
Download the service account key (json) and use it in the AWS web application
Set environment variable GOOGLE_APPLICATION_CREDENTIALS equal to the path of that service account key (json) file.
Questions
How to generate the Access token using the service account, which may then be appended as Authorization Bearer within the HTTP call made to the GCF? Without this token the GCF should throw error.
The docs say not to put the service account key in the source code. Then what is the best way to go about it. They suggest to use KMS which seems like an overkill.
Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials. You can use an environment variable pointing to credentials outside of the application's source code, such as Cloud Key Management Service.
What are the bare minimum permissions i will require for the service account?
Please feel free to correct me if you think my understanding is wrong and there is a better and preferable way to do it.
UPDATE: The web service on AWS will call the GCF in a server-to-server fashion. There is no need to propagate the client-end (end-user) credentials.
In your description, you don't mention who/what will call your GCF. A user? A Compute? Another GCF? However, this page can help you to find code example
Yes, secret in plain text and pushed on GIT is not yet a secret! Here again, I don't know what performing the call. If it's a compute, functions, cloud run, or any service of GCP, don't use JSON file key, but the component identity. I would say, create a service account and set it to this component. Tell me more on where are you deploying if you want more help!
Related to 2: if you have a service account, what the minimal role: cloudfunctions.Invoker. It's the minimal role to invoke function
gcloud beta functions add-iam-policy-binding RECEIVING_FUNCTION \
--member='serviceAccount:CALLING_FUNCTION_IDENTITY' \
--role='roles/cloudfunctions.invoker'
I am using python and django for my web application, and I am trying to use Microsoft Graph API for user sign in authentication to my app using their office365 credentials. I've read up on examples on the web and have been able to successfully get an authorization code and an access token. However I am not able to get a valid response from my GET API call, and get_me function. I keep getting a 500 error. I am using in my scopes openid, profile, and email. Any suggestions on what I am doing wrong
pythoncontacts ties Django and Office 365 together and Microsoft provides an example of connecting to the Graph API via Python.
The scopes you list won't be enough to actually make any API calls. Those scopes will get you an ID token and refresh token in the response, but that's it. To call API calls, you need to add the required scope (depending on what API calls you want to make).
If you're trying to call the Graph endpoint (https://graph.microsoft.com/) then, for example, if you want to just read the user's email, you can add Mail.Read to the scope array.
If you find the API call you want to make at https://graph.microsoft.io/en-us/docs, it should list what scope is required.
I've looked lots of place but I can't find answer how can I implement it. My program is little sync app using Python Evernote API and *.txt file. I've used to auth for developer token and I need to auth for any user who uses to Evernote. I'm using interface as Tkinter and I need to g.e. "Log in with Evernote" button to going requests to Evernote and catching the callback url and including my program to
auth_token = "*****"
client = EvernoteClient(token=auth_token, sandbox=True)
The callback URL is for applications that utilize OAuth to obtain an access token to act on behalf of another user. OAuth is a separate authentication system from developer tokens which are for quickly accessing the API to test an application or to develop an application that only accesses your account; you cannot use developer tokens to access others accounts (its a violation of the API policy).
To access other's Evernote accounts, you need to use OAuth. First you must get a consumer key and consumer secret. The consumer key uniquely identifies your application and your consumer secret should never be shared but is used by your application to validate your use of your consumer key. You can get one here: https://dev.evernote.com/#apikey
For an example of how to use your consumer key and consumer secret to create an application that access the user's Evernote account see this small (~240 lines) example I created using the Python web framework Flask: https://github.com/matthewayne/evernote-giphy/blob/master/server.py
To learn how Evernote's OAuth work see Evernote authentication page: https://dev.evernote.com/doc/articles/authentication.php
The documentation google + domains api to create a post using the 'service' object, obtained here by this method. But in my project to authenticate via google and other sites I use the python social auth
and after authorization I have a ready access token.
The problem lies in the fact that I need a service object to work with api, but I can not figure out how to get it already having access token. Please help me and sorry for my english.
For the domains API, you typically will implement using a service account authorization flow - which is not retrieved in the same way as a user OAuth flow. This is because service accounts can be authorized for services that users typically should not be authorized for (e.g. retrieving domain-wide lists of user names).
The service account credentials, used to authorize your application, are created using the Google Developer Console and then are downloaded as a JSON or p12 file that is used to authenticate your Python client, as shown in this example.
That said, you still can do some actions with that access token which is why the auth flow you're seeing is doing this. Service credentials are how you should be authorizing for domains-related management features which may explain the behavior you're seeing.