On a server firestore admin is accessed using python:
import firebase_admin
from firebase_admin import credentials, firestore
cred = credentials.Certificate('myfile.json')
myfile.json has been added to a git repo so now I'm wondering if there is a way to revoke it and create a new one?
Following firebase tutorials it's supposed to be a service account, however there is no old service account on google cloud to revoke.
myfile.json was created months ago so there is no way to know how it was created (as when doing anything with firebase/google cloud you have to jump around to multiple guides all over the place, out of the blue knowing all kinds of things to make any progress whatsoever).
Edit:
The reason I didn't find the service account was because google cloud had selected a project that had a similar name as the firebase project.
If you look at the contents of myfile.json, notice three fields: project_id, client_email and private_key_id
These fields tell you the Project ID that the credentials created in, the name of the service account (client_email) and the Key ID.
With that information, you can go to the Google Cloud Console. Log in and select your Project (if you manage more than one Project). Go to IAM -> Service Accounts and find the service account by the client_email. Then disable or delete the service account.
There are more advanced things that you can do such as disable a key and create another one (key rotation), but since the Service Account Key JSON file has been leaked, I would delete the service account and create a new one.
Related
I'm currently working on a project that integrate Zoho people calendar with google calendar and update all the leave events accordingly, I'm being able to do it using my personal account but my question is can I do it with a Google workspace super admin account? like, can I access all the primary calendars of all employees under our workspace organisation and update event using google calendar api by creating google calendar api credentials using the super admin account?
I haven't tested it using workspace account cause I'm not getting permission to test it using our company account. Even though I have created google calendar credentials using my official gmail account and I'm being able to fetch all my calendars including my primary one and update events of my choice using gale calendar api.
Yes, you should be able to access your user's calendars via API and to do so you will need to:
Use a service account
Allow domain wide delegation to the service account (this way it
will have the permissions to impersonate your organization users)
Implement impersonation in your code
Basically the service account will impersonate the users that you specify and do the changes in their calendar on their behalf
Goal:
Using python, I want to create a service account in a project on the Google Cloud Platform and grant that service account one role.
Problem:
The docs explain here how to grant a single role to the service account. However, it seems to be only possible by using the Console or the gcloud tool, not with python. The alternative for python is to update the whole IAM policy of the project to grant the role for the single service account and overwrite it (described here). However, overwriting the whole policy seems quite risky because in case of an error the policy of the whole project could be lost. Therefore I want to avoid that.
Question:
I'm creating a service account using the python code provided here in the docs. Is it possible to grant the role already while creating the service account with this code or in any other way?
Creating a service account, creating a service account key, downloading a service account JSON key file, and granting a role are separate steps. There is no single API to create a service account and grant a role at the same time.
Anytime you update a project's IAM bindings is a risk. Google prevents multiple applications from updating IAM at the same time. It is possible to lock everyone (users and services) out of a project by overwriting the policy with no members.
I recommend that you create a test project and develop and debug your code against that project. Use credentials that have no permissions to your other projects. Otherwise use the CLI or Terraform to minimize your risks.
The API is very easy to use provided that you understand the API, IAM bindings, and JSON data structures.
As mentioned in John’s answer, you should be very careful when manipulating the IAM module, if something goes wrong it could end in services completely inoperable.
Here is a Google’s document which manipulates the IAM resources using the REST API.
The owner role can be granted to a user, serviceAccount, or a group that is part of an organization. For example, group#myownpersonaldomain.com could be added as an owner to a project in the myownpersonaldomain.com organization, but not the examplepetstore.com organization.
Right now when I kick off the dataflow it kicks it off as my UserName. Is there a way to run the GCP Dataflow as a service account? If so, can you provide any samples?
Much Appreciated!
To set up service account based authentication:
In the GCP Console, go to the Create service account key page.
Here
From the Service account list, select New service account.
In the Service account name field, enter a name.
From the Role list, select Project > Owner.
Note: The Role field authorizes your service account to access resources. You can view and change this field later by using the GCP Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
Click Create.
A JSON file that contains your key downloads to your computer.
Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the file path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.
You can get more information from here : https://cloud.google.com/dataflow/docs/quickstarts/quickstart-python
I'm creating a Google App Engine project which is going to automatically trigger a function each 5 minutes to analyze a Google sheet.
OAuth authorization
The to-be-analyzed sheet is a G Suite sheet, public to only company members. So I need OAuth2 to authorize the access. How do I do this?
I think I need a Service Account client ID, because as this is going to run automatically in the server, there cannot be a OAuth2 flow, right? Who is going to click the buttons if the function is ran in the server?
I need some directions.
Thanks
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
Yes, it is an OAuth2 flow, but not one involving a manual user operation - the actions are performed by the servers, automatically, based on pre-configured information. From the very document you mentioned:
The Google OAuth 2.0 system supports server-to-server interactions
such as those between a web application and a Google service. For this
scenario you need a service account, which is an account that belongs
to your application instead of to an individual end user. Your
application calls Google APIs on behalf of the service account, so
users aren't directly involved. This scenario is sometimes called
"two-legged OAuth," or "2LO." (The related term "three-legged OAuth"
refers to scenarios in which your application calls Google APIs on
behalf of end users, and in which user consent is sometimes required.)
Basically you need:
on the GAE side to locate an existing (or create a new) service account for your app (in the cloud project's IAM & Admin Service Accounts page). One service account is automatically created when your app is created.
on the G Suite side to allow access by Delegating domain-wide authority to the service account:
To delegate domain-wide authority to a service account, first enable
domain-wide delegation for an existing service account in the Service
accounts page or create a new service account with domain-wide
delegation enabled.
Then, an administrator of the G Suite domain must complete the
following steps:
Go to your G Suite domain’s Admin console.
Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom
of the page, then select Security from the list of controls. If you
can't see the controls, make sure you're signed in as an administrator
for the domain.
Select Show more and then Advanced settings from the list of options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts
page.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your
application needs domain-wide access to the Google Drive API and the
Google Calendar API, enter: https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/calendar.
Click Authorize.
Your application now has the authority to make API calls as users in
your domain (to "impersonate" users). When you prepare to make
authorized API calls, you specify the user to impersonate.
Finally I solved it this way:
Setup a new App Engine service account (I don't know if a "new" one was neccesary really)
Take note of that new service account email
Share the Sheet with that service account mail (I've not yet tested it without this step)
Download its service secrets as a JSON.
Use this code(inspired in (1) and (2))
class analysisHandler(Handler):
def get(self):
credentials = ServiceAccountCredentials.from_json_keyfile_name('service-secrets.json',
["https://www.googleapis.com/auth/spreadsheets"])
http = httplib2.Http()
#if credentials are still valid
if not credentials.invalid:
logging.info("Valid credentials, entering main function")
http = credentials.authorize(http)
main(http)
else:
credentials.refresh(http)
main(http)
Then in main():
sheetService = discovery.build('sheets', 'v4', http=authorized_http)
logging.info("Reading Google Sheet")
result = sheetService.spreadsheets().values().get(spreadsheetId=spreadsheet_id, range=range_name).execute(http=authorized_http)
urlfetch.set_default_fetch_deadline(45)
logging.info("Printing in Google Sheet")
sheetService.spreadsheets().values().append(spreadsheetId=spreadsheet_id, range="Log", body=body, valueInputOption="USER_ENTERED").execute(http=authorized_http)
Where the authorized_http parameter is the one built before with credentials.authorize()
I think this can be improved however.
(1) How to use "Service account" authorization (rather than user based access refresh tokens)
(2) Creating and sharing Google Sheet spreadsheets using Python
I have an Google Analytics Account that I want to automate some custom reports from, but I have some problems understanding what kind of Credentials I need. Most of the tutorials I have seen says I need to use OAuth client ID but the google developers console site says I need a Servide Account key.
What is the difference between the two? Using another Analytics Account I tried to setup a OAuth connection, and it worked, but I now got unsure about what kind of key I should use.
What I want to do is to just have a Python script set up to run at some times, and then to get the data I want to query for. The data is just the same as the one I can get from logging into the Google Analytics UI, so there is no need for any users to consent to giving me access to any personal data or what ever else the Consent form should be used for.
Can someone explain what the difference is between the two Credentials and what one would be the correct one to use for my project?
Both Service accounts and OAuth2 are used to access private user data. Private data is data that is accessible only by logging in. My posts on Google+ are public anyone can see them. The information in my Google Analytics is private owned by me only I can see it and those I grant access to it.
With Oauth2 access is granted at run time. The first time an application is run the user will be asked if your application can access their data. If the user accepts and grants your application access you will be given a refresh token. This refresh token can be then used to get an access token which is used to access the private user data. Access tokens are only good for about an hour. After the hour is up you use the refresh token to get access again. That's why I say access is granted at runtime. You only have to ask the user for access once to get the refresh token though.
Service accounts on the other hand are pre authenticated. Service accounts are like dummy users they have their own google drive account and google calendar account. Because if this it is possible to shire data with them like you would any other user. You take the service account email address and add it as a user under the admin section of google analytics at the ACCOUNT level it must be the ACCOUNT level. Then using the service account in your code, you will be able to access the data for that Google Analytics account without requesting authentication from a user the first time.
Service accounts are most often used by developers to grant others access to the data owned by the developer. Oauth2 on the other hand would be used to access data of your customers for whos accounts you the developer does not personally have access to.
Technically speaking you can use either for your project as long as you store the refresh token you could technically use Oauth2 for your project. However I would not recommend it refresh tokens can expire under certain circumstances, which I will not go into.
I would recommend using a service account in your case it will be much easer for you to administrate as you will only need to set it up once.
My tutorials on the subject:
Google Developer console service account
Google Developer Console Oauth2 credentials