This topic explains how to access Google Cloud APIs on behalf of an end user. For general information about authenticating to Google Cloud APIs, see Authentication overview.
Authentication flow
When an application needs to access Google Cloud APIs on behalf of an end user, the application initiates an OAuth consent flow. After the user completes the flow, your application receives the user's credentials. With the credentials, your application can call Google Cloud APIs on behalf of the user.
This process is a protocol called OAuth 2.0.
To learn more about OAuth 2.0, see OAuth 2.0.
Specifying OAuth scopes
When authenticating as an end user, you must specify OAuth scopes explicitly. OAuth scopes limit the actions your application can perform on behalf of the end user. For example, these actions might include reading files from Cloud Storage, or managing Google Cloud projects.
See the specific API page for more information on what OAuth scopes are
available. For example, if you plan to use the disks.get()
method for the
Compute Engine API, you would need to set
one of these OAuth scopes.
Set the minimum scope needed based on your use case.
Granting and limiting access to project resources
If you're using end user credentials to access resources within your project, you must grant the user access to resources within your project. Do this in Google Cloud by setting a role in Identity and Access Management (IAM).
You may want to limit which resources the user has access to. This is especially true when you're allowing the user to access resources in a project that you own. Set roles according to the least privilege the user needs.
Each service has a set of IAM roles, and you can choose to create custom roles instead. For more information, see understanding roles and creating and managing custom roles.
End user authentication example
Complete the following sections to obtain credentials for an end user. The following steps use the BigQuery API, but you can replicate this process with any Google Cloud API that has a client library.
Setting up your project
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the BigQuery API.
- Install the BigQuery client libraries.
- If using Python or Node.js, you must install an additional auth library.
Python
Install the oauthlib integration for Google Auth.pip install --upgrade google-auth-oauthlib
Creating your client credentials
Create your client credentials in Google Cloud Console.
Go to the OAuth consent screen page in Cloud Console.
On the Credentials page, select the Create credentials button, then select OAuth client ID.
Select Other, then select the Create button. Select the OK button after the success dialogue appears.
Download the credentials by selecting the Download JSON button for the client ID.
Save the credentials file to
client_secrets.json
. This file must be distributed with your application.
Authenticating and calling the API
Use the client credentials to perform the OAuth 2.0 flow.
Python
Use the authenticated credentials to connect to the BigQuery API.
Python
When you run the sample code, the code launches a browser requesting access to the project associated with the client secrets. The resulting credentials can then be used to access the user's BigQuery resources, because the sample requested the BigQuery scope.
In a different use case, you may wish to grant IAM roles to determine what the user can access.
What's next
- Learn about authenticating to a Google Cloud API
- Learn about authenticating as a service account
- Learn about using API keys
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free