This page explains how to use user-managed service accounts and their private keys to authenticate an application to the Cloud IoT Core API.
You can use applications to administer registries and devices. See Registry Management Samples and Device Management Samples for examples of how to do so.
Authenticating using service accounts
A user-managed service account is a type of Google account that represents an application. User-managed service accounts are primarily used for server-to-API authentication.
Cloud IoT Core uses two types of authentication. When authenticating devices to Cloud IoT Core, you use private/public key pairs and JSON Web Tokens. When authenticating an application to the Cloud IoT Core API, however, you must use GCP authentication in the form of user-managed service accounts.
User-managed service accounts have their own private keys, which come in various formats. By providing a user-managed service account's private key to an application, you can create credentials and authenticate the application.
The recommended way to authenticate applications is to use user-managed service accounts and private JSON keys, as they are the most widely supported and flexible methods. You can create a user-managed service account and download a private JSON key by completing the steps in Getting Started with Authentication.
The following samples show how to use a user-managed service account's private JSON key to authenticate an application to the Cloud IoT Core API:
C#
Note that the C# sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in theGOOGLE_APPLICATION_CREDENTIALS
environment variable. The client library can then determine the credentials implicitly.
Go
Note that the Go sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in theGOOGLE_APPLICATION_CREDENTIALS
environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below.
Java
Note that the Java sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in theGOOGLE_APPLICATION_CREDENTIALS
environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below.
Node.js
PHP
Note that the PHP sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in theGOOGLE_APPLICATION_CREDENTIALS
environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below.
Python
This sample uses the Google API Client Library for Python.Ruby
Note that the Ruby sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in theGOOGLE_APPLICATION_CREDENTIALS
environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below.