Authenticating applications

This page explains how to use user-managed service accounts and their private keys to authenticate an application to the Cloud IoT Core API.

You can use applications to administer registries and devices. See Registry Management Samples and Device Management Samples for examples of how to do so.

Authenticating using service accounts

A user-managed service account is a type of Google account that represents an application. User-managed service accounts are primarily used for server-to-API authentication.

Cloud IoT Core uses two types of authentication. When authenticating devices to Cloud IoT Core, you use private/public key pairs and JSON Web Tokens. When authenticating an application to the Cloud IoT Core API, however, you must use GCP authentication in the form of user-managed service accounts.

User-managed service accounts have their own private keys, which come in various formats. By providing a user-managed service account's private key to an application, you can create credentials and authenticate the application.

The recommended way to authenticate applications is to use user-managed service accounts and private JSON keys, as they are the most widely supported and flexible methods. You can create a user-managed service account and download a private JSON key by completing the steps in Getting Started with Authentication.

The following samples show how to use a user-managed service account's private JSON key to authenticate an application to the Cloud IoT Core API:

C#

Note that the C# sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable. The client library can then determine the credentials implicitly. 
public static CloudIotService CreateAuthorizedClient()
{
    GoogleCredential credential =
        GoogleCredential.GetApplicationDefaultAsync().Result;
    // Inject the Cloud IoT Core Service scope
    if (credential.IsCreateScopedRequired)
    {
        credential = credential.CreateScoped(new[]
        {
            CloudIotService.Scope.CloudPlatform // Used for IoT + PubSub + IAM
            //CloudIotService.Scope.Cloudiot // Can be used if not accessing Pub/Sub
        });
    }
    return new CloudIotService(new BaseClientService.Initializer
    {
        HttpClientInitializer = credential,
        GZipEnabled = false
    });
}

Go

Note that the Go sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below. 

// createRegistry creates a IoT Core device registry associated with a PubSub topic
func createRegistry(w io.Writer, projectID string, region string, registryID string, topicName string) (*cloudiot.DeviceRegistry, error) {
	client, err := getClient()
	if err != nil {
		return nil, err
	}

	registry := cloudiot.DeviceRegistry{
		Id: registryID,
		EventNotificationConfigs: []*cloudiot.EventNotificationConfig{
			{
				PubsubTopicName: topicName,
			},
		},
	}

	parent := fmt.Sprintf("projects/%s/locations/%s", projectID, region)
	response, err := client.Projects.Locations.Registries.Create(parent, &registry).Do()
	if err != nil {
		return nil, err
	}

	fmt.Fprintln(w, "Created registry:")
	fmt.Fprintf(w, "\tID: %s\n", response.Id)
	fmt.Fprintf(w, "\tHTTP: %s\n", response.HttpConfig.HttpEnabledState)
	fmt.Fprintf(w, "\tMQTT: %s\n", response.MqttConfig.MqttEnabledState)
	fmt.Fprintf(w, "\tName: %s\n", response.Name)

	return response, nil
}

Java

Note that the Java sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below. 
/** Create a registry for Cloud IoT. */
protected static void createRegistry(
    String cloudRegion, String projectId, String registryName, String pubsubTopicPath)
    throws GeneralSecurityException, IOException {
  GoogleCredentials credential =
      GoogleCredentials.getApplicationDefault().createScoped(CloudIotScopes.all());
  JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
  HttpRequestInitializer init = new HttpCredentialsAdapter(credential);
  final CloudIot service =
      new CloudIot.Builder(GoogleNetHttpTransport.newTrustedTransport(), jsonFactory, init)
          .setApplicationName(APP_NAME)
          .build();

  final String projectPath = "projects/" + projectId + "/locations/" + cloudRegion;
  final String fullPubsubPath = "projects/" + projectId + "/topics/" + pubsubTopicPath;

  DeviceRegistry registry = new DeviceRegistry();
  EventNotificationConfig notificationConfig = new EventNotificationConfig();
  notificationConfig.setPubsubTopicName(fullPubsubPath);
  List<EventNotificationConfig> notificationConfigs = new ArrayList<EventNotificationConfig>();
  notificationConfigs.add(notificationConfig);
  registry.setEventNotificationConfigs(notificationConfigs);
  registry.setId(registryName);

  DeviceRegistry reg =
      service.projects().locations().registries().create(projectPath, registry).execute();
  System.out.println("Created registry: " + reg.getName());
}

Node.js

const getClient = async (serviceAccountJson) => {
  // the getClient method looks for the GOOGLE_CLOUD_PROJECT and GOOGLE_APPLICATION_CREDENTIALS
  // environment variables if serviceAccountJson is not passed in
  const authClient = await google.auth.getClient({
    keyFilename: serviceAccountJson,
    scopes: ['https://www.googleapis.com/auth/cloud-platform'],
  });

  const discoveryUrl = `${DISCOVERY_API}?version=${API_VERSION}`;

  google.options({
    auth: authClient,
  });

  try {
    return google.discoverAPI(discoveryUrl);
  } catch (err) {
    console.error('Error during API discovery.', err);
  }
};

PHP

Note that the PHP sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below. 
use Google\Cloud\Iot\V1\DeviceManagerClient;

/**
 * List all registries in the project.
 *
 * @param string $projectId Google Cloud project ID
 * @param string $location (Optional) Google Cloud region
 */
function list_registries(
    $projectId,
    $location = 'us-central1'
) {
    print('Listing Registries' . PHP_EOL);

    // The Google Cloud Client Library automatically checks the environment
    // variable GOOGLE_APPLICATION_CREDENTIALS for the Service Account
    // credentials, and defaults scopes to [
    //    'https://www.googleapis.com/auth/cloud-platform',
    //    'https://www.googleapis.com/auth/cloudiot'
    // ].
    $deviceManager = new DeviceManagerClient();
    $locationName = $deviceManager->locationName($projectId, $location);

    $response = $deviceManager->listDeviceRegistries($locationName);

    foreach ($response->iterateAllElements() as $registry) {
        printf(' - Id: %s, Name: %s' . PHP_EOL,
            $registry->getId(),
            $registry->getName());
    }
}

Python

Note that the Python sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in the GOOGLE_APPLICATION_CREDNTIALS environment variable. The client library can then determine the credentials implicitly. 
# project_id = 'YOUR_PROJECT_ID'
# cloud_region = 'us-central1'
# pubsub_topic = 'your-pubsub-topic'
# registry_id = 'your-registry-id'
client = iot_v1.DeviceManagerClient()
parent = f"projects/{project_id}/locations/{cloud_region}"

if not pubsub_topic.startswith("projects/"):
    pubsub_topic = "projects/{}/topics/{}".format(project_id, pubsub_topic)

body = {
    "event_notification_configs": [{"pubsub_topic_name": pubsub_topic}],
    "id": registry_id,
}

try:
    response = client.create_device_registry(
        request={"parent": parent, "device_registry": body}
    )
    print("Created registry")
    return response
except HttpError:
    print("Error, registry not created")
    raise
except AlreadyExists:
    print("Error, registry already exists")
    raise

Ruby

Note that the Ruby sample doesn't explicitly specify a JSON key file; rather, it uses the location specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable. The client library can then determine the credentials implicitly. The sample is also used in the context of creating a registry, but the actual authentication is highlighted below. 
# project_id   = "Your Google Cloud project ID"
# location_id  = "The Cloud region that you created the registry in"
# registry_id  = "The Google Cloud IoT Core device registry identifier"
# pubsub_topic = "The Google Cloud PubSub topic to use for this registry"

require "google/apis/cloudiot_v1"

# Initialize the client and authenticate with the specified scope
Cloudiot   = Google::Apis::CloudiotV1
iot_client = Cloudiot::CloudIotService.new
iot_client.authorization = Google::Auth.get_application_default(
  "https://www.googleapis.com/auth/cloud-platform"
)

# The project / location where the registry is created.
parent = "projects/#{project_id}/locations/#{location_id}"

registry = Cloudiot::DeviceRegistry.new
registry.id = registry_id
registry.event_notification_configs = [Cloudiot::EventNotificationConfig.new]
registry.event_notification_configs[0].pubsub_topic_name = pubsub_topic

registry = iot_client.create_project_location_registry(
  parent, registry
)

puts "Created registry: #{registry.name}"