Authorizing Requests to Google Compute Engine

If you use the Compute Engine API to manage your Compute Engine resources, you can authenticate your applications to the API by obtaining credentials from a Compute Engine service account. Service accounts allow your application to authenticate to the API without embedding any secret keys in your application code.

Service accounts are recommended for most situations where your application must authorize requests to the API. However, if you are building development or administration tools where users grant you access to their Google Cloud resources, use a user authorization flow instead.

The most simple way to obtain credentials from a service account is with a Compute Engine client library and application default credentials. These packages enable your application to obtain credentials from one of several available sources depending on where the application runs.

Applications that run on Compute Engine instances

If you run applications on your Compute Engine instances, application default credentials can obtain credentials through built-in service accounts. Read Creating and Enabling Service Accounts for Instances to configure your instances with these built-in service accounts and run your application on a Compute Engine instance.

Applications that run outside of Google Cloud Platform

If you run applications on systems outside of Google Cloud Platform, your applications can use application default credentials to obtain credentials from environment variables on those systems. See How Application Default Credentials work to configure your environment variables with the necessary credentials.

Applications that are in development

While you develop your applications locally, application default credentials can use the auth login information in the gcloud tool to obtain credentials.

  1. Install the gcloud tool on your development systems.

  2. Provide your credentials to the tool with the gcloud init command.

The application obtains credentials from the tool. Later, you can deploy your application to Compute Engine instances where the application automatically obtains credentials from the built-in service accounts, or to other systems with credentials specified in their environment variables.

Obtaining access to Google Cloud resources that are owned by users of your application

If you are building development or administration tools where users grant you access to their Google Cloud resources, obtain authorization through a basic OAuth 2.0 process. This process requires your users to grant you access to their information through a user authorization flow. After your application has access, it can view or modify the Compute Engine resources in your user's project.

In your request, specify an access scope that limits your access to only the methods and user information that your application requires. For example, specify the compute.readonly scope when your application views existing Compute Engine resources but does not create or modify any resources for your users.

Scope Meaning Full access to all resources and services in the specified Cloud Platform project. Read-write access to Google Compute Engine methods. Read-only access to Google Compute Engine methods.

Send feedback about...

Compute Engine Documentation