Authenticating as an End User

In most situations, we recommend using a service account for authenticating to a Google Cloud Platform (GCP) API. In some situations you might want your users to authenticate directly. For example:

• You need to access resources on behalf of an end user of your application. For example, your application needs to access Google BigQuery datasets that belong to users of your application.

• You need to authenticate as yourself instead of your application. For example, because the Cloud Resource Manager API can create and manage projects owned by a specific user, you would need to authenticate as a user to create projects on their behalf.

This guide discusses end user credentials. It doesn't discuss authenticating a user to your application. For that use case, we recommend Firebase authentication.

Obtaining credentials for an end user

When an application needs to access resources on behalf of a user, the application presents a consent screen to the user. After the user accepts, your application requests credentials from an authorization server. With the credentials, the application can access resources on behalf of the user.

This process is a protocol called OAuth 2.0.

Your app

User consent

User data

To learn more about OAuth 2.0, and how to set up an application for this use case, see OAuth 2.0.

Requesting access to user resources

When you use a service account to authenticate to a GCP API, GCP automatically authenticates the service account with full access to the API. When authenticating as an end user, you must specify these OAuth scopes manually.

See the specific API page for more information on what OAuth scopes are available. For example, if you plan to use the disks.get() method for the Compute Engine API, you would need to set one of these OAuth scopes. Set the minimum scope needed based on your use case.

Granting and limiting access to project resources

If you're using end user credentials to access resources within your project, you must grant the user access to resources within your project. Do this in GCP by setting a role in Google Cloud Identity and Access Management (Cloud IAM).

You may want to limit which resources the user has access to. This is especially true when you're allowing the user to access resources in a project that you own. Set roles according to the least privilege the user needs.

Each service has a set of Cloud IAM roles, and you can choose to create custom roles instead. For more information, see understanding roles and creating and managing custom roles.

What's next

• Learn about authenticating to a GCP API.

• Learn about setting up authentication for production applications.

• Learn about using API keys.