In most situations, we recommend using a service account for authenticating to a Google Cloud Platform (GCP) API. In some situations you might want your users to authenticate directly. For example:
You need to access resources on behalf of an end user of your application. For example, your application needs to access Google BigQuery datasets that belong to users of your application.
You need to authenticate as yourself instead of your application. For example, because the Cloud Resource Manager API can create and manage projects owned by a specific user, you would need to authenticate as a user to create projects on their behalf.
This guide discusses end user credentials. It doesn't discuss authenticating a user to your application. For that use case, we recommend Firebase authentication.
When an application needs to access resources on behalf of a user, the application presents a consent screen to the user. After the user accepts, your application requests credentials from an authorization server. With the credentials, the application can access resources on behalf of the user.
This process is a protocol called OAuth 2.0.
To learn more about OAuth 2.0, see OAuth 2.0.
Specifying API scopes
When you use a service account to authenticate to a GCP API, GCP automatically authenticates the service account with full access to the API. When authenticating as an end user, you must specify OAuth scopes manually. OAuth scopes limit the actions your application can perform on behalf of the end user. For example, these actions might include reading files from Cloud Storage, or managing GCP projects.
See the specific API page for more information on what OAuth scopes are
available. For example, if you plan to use the
disks.get() method for the
Compute Engine API, you would need to set one of these OAuth scopes. Set the minimum scope
needed based on your use case.
Granting and limiting access to project resources
If you're using end user credentials to access resources within your project, you must grant the user access to resources within your project. Do this in GCP by setting a role in Google Cloud Identity and Access Management (Cloud IAM).
You may want to limit which resources the user has access to. This is especially true when you're allowing the user to access resources in a project that you own. Set roles according to the least privilege the user needs.
End user authentication example
Complete the following sections to obtain credentials for an end user. The following steps use the BigQuery API, but you can replicate this process with any GCP API that has a client library.
Setting up your project
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
Select or create a GCP project.
Make sure that billing is enabled for your project.
- Enable the BigQuery API.
- Install the BigQuery client libraries.
- If using Python or Node.js, you must install an additional auth library.
PythonInstall the oauthlib integration for Google Auth.
<pre class="notranslate devsite-click-to-copy" suppresswarning="suppresswarning">pip install --upgrade google-auth-oauthlib</pre>
Creating your client credentials
Create your client credentials in Google Cloud Platform Console.
Go to the APIs & Services→Credentials page in GCP Console.
Fill out the required fields on the OAuth consent screen.
Click the Create credentials button, then select OAuth client ID.
Select Other, then click the Create button.
Download the credentials by clicking the Download JSON button.
Save the credentials file to
client_secrets.json. This file must be distributed with your application.
Authenticating and calling the API
Use the client credentials to perform the OAuth 2.0 flow.
def authenticate_and_query(project, query, launch_browser=True): from google_auth_oauthlib import flow appflow = flow.InstalledAppFlow.from_client_secrets_file( 'client_secrets.json', scopes=['https://www.googleapis.com/auth/bigquery']) if launch_browser: appflow.run_local_server() else: appflow.run_console() run_query(appflow.credentials, project, query)
Use the authenticated credentials to connect to the BigQuery API.
def run_query(credentials, project, query): from google.cloud import bigquery client = bigquery.Client(project=project, credentials=credentials) query_job = client.query(query) # Print the results. for row in query_job.result(): # Wait for the job to complete. print(row)
When you run the sample code, the code launches a browser requesting access to the project associated with the client secrets. The resulting credentials can then be used to access the user's BigQuery resources, because the sample requested the BigQuery scope.
In a different use case, you may wish to add IAM roles to determine what the user can access.
Learn about authenticating to a GCP API.
Learn about using API keys.