Managing Cloud APIs and Libraries

Programmatically accessing Google Cloud products and services requires the use of Cloud APIs. These APIs expose a simple JSON REST interface that you can call via client libraries.

With Cloud Code, you can access this consolidated list of Google Cloud services coupled with their corresponding client libraries and documentation, browse through and enable Cloud APIs, and add Cloud Client Libraries to your project, all from your IDE.

Browsing Cloud APIs

To explore all available Google Cloud APIs in your IDE, follow these steps:

  1. Click the Cloud Code - Cloud APIs icon Cloud Code - Cloud APIs icon from the Activity bar.
  2. Expand the Google Cloud APIs explorer tree to view all available APIs. The explorer groups Cloud APIs by category.
  3. Screenshot showing the list of Cloud APIs shown in the tree
            view explorer.

  4. Click an API to view more details, such as its service name, status, installation instructions for its corresponding client libraries, and relevant documentation.

Enabling Cloud APIs

To quickly enable Cloud APIs for a project using the API details page, follow these steps:

  1. On the Cloud API details page, choose a project that you'd like to enable the Cloud API for.
  2. Screenshot showing more details about selected Cloud API

  3. Click the Enable API button.

    Once the API has been enabled you'll see a message confirming this change.

Adding client libraries to your project

In addition to exploring and enabling Cloud APIs using Cloud Code, you can also add a language-specific client library to your project. You'll have to install it; the API details page contains installation instructions for each language.

Screenshot showing install instructions for a client library corresponding
          to a Cloud API

Setting up authentication

After you've enabled the required APIs and added the necessary client libraries, you need to configure your application in order for it to be successfully authenticated. Your configuration depends on your type of development and the platform you're running on.

Once you complete the relevant authentication steps, your application can authenticate and is ready to be deployed.

Local development

The Cloud Shell VM instance uses the Compute Engine default service account (the service account GKE uses by default) as its default service account. This means that when developing with Cloud Code on Cloud Shell, you do not need to set up any additional configuration when working with client libraries. Your application is successfully authenticated and ready to run locally.

Remote development

Google Kubernetes Engine

Depending on the scope of your project, you can choose how you authenticate Google Cloud services on GKE:

  • (Development only)
    1. Create a GKE cluster with the following settings:
      • Ensure you're using the service account GKE uses by default, the Compute Engine default service account, and that Access scopes is set at Allow full access to all Cloud APIs (both settings accessible in the Node Pools > Security section).
        Since the Compute Engine service account is shared by all workloads deployed on your node, this method overprovisions permissions and should only be used for development.
      • Ensure Workload Identity is not enabled on your cluster (in the Cluster > Security section).
    2. Assign the necessary roles to your service account:
  • (Recommended for production)
    1. Configure your GKE cluster and application with Workload Identity to authenticate Google Cloud services on GKE. This associates your Kubernetes service account with your Google service account.
    2. Configure your Kubernetes Deployment to reference the Kubernetes service account by setting the .spec.serviceAccountName field in your Kubernetes Deployment YAML file.
      If you're working on an app created from a Cloud Code template, this file is located under the kubernetes-manifests folder.
    3. If the Google Cloud service you're trying to access requires additional roles, grant them for the Google service account you're using to develop your app:

Cloud Run

  1. To create a new unique service account for deploying your Cloud Run application, navigate to the Service Accounts page and then select the project that your secret is stored in.

    Go to the Service Accounts page

  2. Click Create service account.
  3. In the Create service account dialog, enter a descriptive name for the service account.
  4. Change the Service account ID to a unique, recognizable value and then click Create.
  5. If the Google Cloud service you're trying to access requires additional roles, grant them, click Continue, and then click Done.
  6. To add your service account to your deploy configuration:
    1. Using the Cloud Code status bar, choose the Cloud Run: Deploy command.
    2. In the Cloud Run Deployment UI, under Revision Settings, in the Service Account field, specify your service account.
    Advanced revision settings section expanded in Cloud Run: Deploy and Service Account field filled in with service account name of the format service-account-name@project-name.iam.gserviceaccount.com

Cloud Run

Depending on the scope of your project, you can choose how you authenticate Google Cloud services on GKE:

  • (Development only)
    1. Create a GKE cluster with the following settings:
      • Ensure you're using the service account GKE uses by default, the Compute Engine default service account, and that Access scopes is set at Allow full access to all Cloud APIs (both settings accessible in the Node Pools > Security section).
        Since the Compute Engine service account is shared by all workloads deployed on your node, this method overprovisions permissions and should only be used for development.
      • Ensure Workload Identity is not enabled on your cluster (in the Cluster > Security section).
    2. Assign the necessary roles to your service account:
  • (Recommended for production)
    1. Configure your GKE cluster and application with Workload Identity to authenticate Google Cloud services on GKE. This associates your Kubernetes service account with your Google service account.
    2. To add your service account to your deploy configuration:
      1. Using the Cloud Code status bar, choose the Cloud Run: Deploy command.
      2. In the Cloud Run Deployment UI, under Revision Settings, in the Service Account field, specify your service account.
      Advanced revision settings section expanded in Cloud Run: Deploy and Service Account field filled in with Kubernetes service account name of the format service-account-name@project-name.iam.gserviceaccount.com
    3. If the Google Cloud service you're trying to access requires additional roles, grant them for the Google service account you're using to develop your app:

Remote development with Secret Manager permissions enabled

If you're developing remotely, using a service account for authentication, and your application uses secrets, you need to complete a few more steps in addition to the remote development instructions. These steps assign your Google service account the role required to access a particular Secret Manager secret:

  1. Open the Secret Manager view Secret Manager icon and select the secret you want to access in your code.

    Secret Manager in Cloud Code open with two secrets listed

  2. Right-click the secret and select Edit Permissions in Cloud Console. This launches the Secret Manager configuration page for that secret in your web browser.

    Right-clicked secret in Secret Manager panel

  3. In Cloud Console, click Permissions and then click Add.

  4. In the New principals field, enter the name of your your service account.

  5. In the Select a role field, choose the Secret Manager Secret Accessor role.

  6. Click Save.

    Your service account now has permission to access this particular secret.