Authorizing requests to Compute Engine

If you use the Compute Engine API to manage your Compute Engine resources, you can authenticate your applications to the API by obtaining credentials from a Compute Engine service account. Service accounts let your application authenticate to the API without embedding any secret keys in your application code.

We recommend service accounts for most situations where your application must authorize requests to the API. However, if you are building development or administration tools where users grant you access to their Google Cloud resources, use a user authorization flow instead.

To obtain credentials from a service account, use a Compute Engine client library and application default credentials. These packages let your application obtain credentials from one of several available sources depending on where the application runs.

Applications that run on Compute Engine instances

If you run applications on your Compute Engine instances, application default credentials can get credentials through built-in service accounts. For information about how to configure your instances with these built-in service accounts and run your application on a Compute Engine instance, see Authenticating applications directly with access tokens.

Applications that run outside of Google Cloud

If you run applications on systems outside of Google Cloud, your applications can use application default credentials to obtain credentials from environment variables on those systems. For information about how to configure your environment variables with the necessary credentials, see Authenticating as a service account.

Applications that are in development

While you develop your applications locally, you can use the gcloud auth application-default login command to temporarily get user credentials for your application. This command helps provide user credentials when you're developing code that would normally use a service account but you need to run the code in a local development environment. The credentials will apply to all API calls that make use of the Application Default Credentials client library.

  1. Install the gcloud tool on your development systems.

  2. Provide your credentials to the tool by using the gcloud auth application-default login command.

The application obtains credentials from the tool. Later, you can deploy your application to Compute Engine instances where the application automatically obtains credentials from the built-in service accounts, or to other systems with credentials specified in their environment variables.

Example: authenticating using application default credentials

This example uses the Python Client Library to authenticate and make a request to the Cloud Storage API to list the buckets in a project. The example uses the following procedure:

  1. Obtain the necessary authentication credentials for the Cloud Storage API and initialize the Cloud Storage service with the build() method and the credentials.
  2. List buckets in Cloud Storage.

You can run this sample on an instance that has access to manage buckets in Cloud Storage, on your local machine after running the gcloud beta auth application-default login command, or after setting an environment variable to use application default credentials.


import argparse

import googleapiclient.discovery


def create_service():
    # Construct the service object for interacting with the Cloud Storage API -
    # the 'storage' service, at version 'v1'.
    # Authentication is provided by application default credentials.
    # When running locally, these are available after running
    # `gcloud auth application-default login`. When running on Compute
    # Engine, these are available from the environment.
    return googleapiclient.discovery.build('storage', 'v1')


def list_buckets(service, project_id):
    buckets = service.buckets().list(project=project_id).execute()
    return buckets


def main(project_id):
    service = create_service()
    buckets = list_buckets(service, project_id)
    print(buckets)


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description=__doc__,
        formatter_class=argparse.RawDescriptionHelpFormatter)
    parser.add_argument('project_id', help='Your Google Cloud Project ID.')

    args = parser.parse_args()

    main(args.project_id)

Obtaining access to Google Cloud resources that are owned by users of your application

If you are building development or administration tools where users grant you access to their Google Cloud resources, obtain authorization through a basic OAuth 2.0 process. This process requires your users to grant you access to their information through a user authorization flow. After your application has access, it can view or modify the Compute Engine resources in each user's project.

In your request, specify an access scope that limits your access to only the methods and user information that your application requires. For example, specify the compute.readonly scope when your application views existing Compute Engine resources but does not create or modify any resources for your users.

Scope Meaning
https://www.googleapis.com/auth/cloud-platform Full access to all resources and services in the specified Google Cloud project.
https://www.googleapis.com/auth/compute Read/write access to Compute Engine methods.
https://www.googleapis.com/auth/compute.readonly Read-only access to Compute Engine methods.