This guide explains how to set up authentication and authorization for server to server production applications. Authentication refers to the process of determining a client's identity. Authorization refers to the process of determining what permissions an authenticated client has for a specific resource. That is, authentication identifies who you are, and authorization determines what you can do. For more information about supported authentication methods and how to choose them, see authentication overview.
Google uses credentials to identify your application for quota and billing. Your credentials are also used to authorize access to GCP APIs, resources, and features.
Providing credentials to your application
GCP client libraries use a strategy called Application Default Credentials (ADC) to find your application's credentials. When your code uses a client library, the strategy checks for your credentials in the following order:
-
First, ADC checks to see if the environment variable
GOOGLE_APPLICATION_CREDENTIALS
is set. If the variable is set, ADC uses the service account file that the variable points to. -
If the environment variable isn't set, ADC uses the default service account that Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions provide, for applications that run on those services.
-
If ADC can't use either of the above credentials, an error occurs.
The following code example illustrates this strategy. The example
doesn't explicitly specify the application credentials. However, ADC is able to
implicitly find the credentials as long as the GOOGLE_APPLICATION_CREDENTIALS
environment variable is set, or as long as the application is running on
Compute Engine, Kubernetes Engine, App Engine, or Cloud Functions.
C#
Go
Java
Node.js
PHP
Python
Ruby
Obtaining and providing service account credentials manually
If you're developing code locally, deploying your application on-premises, or deploying to another public cloud, you can create and obtain service account credentials manually.
For more information about how to create a service account, see getting started with authentication. Although the linked guide walks you through creating a service account with owner-level permissions, for a production application, restrict access to the permissions, as described in the restricting access section below.
After you've created the service account and set the environment variable, ADC is able to implicitly determine your credentials, as described in the providing credentials to your application section above. We recommend this approach, because it requires less code.
You can alternately choose to explicitly point to your service account file in code, as shown in the following code example.
C#
Java
Node.js
PHP
Python
Ruby
Obtaining credentials on Compute Engine, Kubernetes Engine, App Engine flexible environment, and Cloud Functions
If your application runs on Compute Engine, Kubernetes Engine, the App Engine flexible environment, or Cloud Functions, you don't need to create your own service account. Compute Engine includes a default service account that is automatically created for you, and you can assign a different service account, per-instance, if needed. When you create a new instance, the instance is automatically enabled to run as the default service account and has a default set of authorization permissions. For more information, see Compute Engine default service account.
After you set up a service account, ADC can implicitly find your credentials without any need to change your code, as described in the section above. If you want to specifically use Compute Engine credentials, you can explicitly do so, as shown in the following code example.
C#
Java
PHP
Python
Ruby
Obtaining credentials on App Engine standard environment
If your application runs on App Engine standard environment, you can use the App Engine App Identity API to obtain credentials.
After you set up a service account, ADC can implicitly find your credentials without any need to change your code, as described in the section above. If you want to specifically use App Engine credentials, you can explicitly do so, as shown in the following code example.
PHP
Java
Python
Restricting access
Only grant your application the authorization permissions that it needs to
interact with applicable GCP APIs, features, or resources. GCP uses Cloud
Identity and Access Management (Cloud IAM) for access control. When you create a
service account, you can choose a Cloud IAM role for limiting access. The
walkthrough at getting started with authentication instructs you to
choose the Owner
role when you create a service account. You can
change this value at any time. For more information, see
granting roles to service accounts.
Best practices for managing credentials
Credentials provide access to sensitive data. The following practices help protect access to these resources.
-
Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials. You can use an environment variable pointing to credentials outside of the application's source code, such as Cloud Key Management Service.
-
Do use different credentials in different contexts, such as in testing and production environments.
-
Do transfer credentials only over HTTPS to prevent a third party from intercepting your credentials. Never transfer in clear text or as part of the URL.
-
Never embed long-lived credentials into your client-side app. For example, do not embed service account credentials into a mobile app. Client-side apps can be examined and credentials can easily be found and used by a third party.
-
Do revoke a token if you no longer need it.
Troubleshooting API errors
Learn more about how to troubleshoot failed API requests at Cloud APIs errors.
What's next
-
Learn about getting started with authentication.
-
Learn about setting up authentication as an end user.
-
Learn about using API keys.