This document describes how to authenticate and set up API access within a workstation. For general information about Google Cloud authentication, see the authentication overview.
Authenticate as a user with Google Cloud CLI
After you launch Cloud Workstations, you can access Google Cloud services and the API using
your user accounts through the gcloud
CLI.
- Open a terminal in your workstation. The way you open a terminal window depends on the IDE that you're using. For example, if you're using the Cloud Workstations base editor, open a terminal by selecting Terminal > New Terminal, or by pressing Control+Shift+`.
- Authenticate with the following command:
gcloud auth login --no-launch-browser
- Follow the instructions provided by the command to authenticate to Google Cloud.
- Specify your Google Cloud project ID with the following command:
gcloud config set project PROJECT_ID
-
Enable Application Default Credentials to allow you to call Google Cloud services.
gcloud auth application-default login
- Your
gcloud
CLI credentials are now saved and available when you use your workstation in future sessions.
Issue an HTTP request to a workstation
To issue an HTTP request to a workstation, you need an access token for an account that has the Cloud Workstations User role on that workstation:
- Generate an access token using the generateAccessToken API method.
- Add an HTTP header named
Authorization
with the valueBearer $TOKEN
.
Connect to the workstation in your browser
Opening your workstation URL in your browser automatically authenticates through a redirect to the workstations server, and retrieves an access token generated by the generateAccessToken API method. This redirects back to your workstation and sets an authentication cookie that is valid for your current workstation session.
To skip this redirect, use the _workstationAccessToken
URL
parameter:
- Generate an access token using the generateAccessToken API method.
- Open your workstation URL in the browser and append a URL parameter
with the following form:
_workstationAccessToken=TOKEN
.
This sets an authentication cookie in your browser that allows access for your current workstation session. Skipping the redirect can be helpful when access to the workstation server is blocked by network policies, or when using iframes to display the workstation in other sites.
Impersonate a service account
If your organization's security policies prevent user accounts from having the required
permissions, you can also impersonate a service account. To impersonate the
service account specified on your workstation configuration, you can specify the
service account scopes field. When specified, users of workstations under this
configuration must have iam.serviceAccounts.actAs
permission on the service
account. For more information on specifying scopes for the service account, see
Access scopes.
You can also impersonate a different service account using the gcloud
CLI
impersonate_service_account
property.
-
To ensure that the principal has the necessary permission to impersonate a service account, ask your administrator to grant the principal the Service Account Token Creator (
roles/iam.serviceAccountTokenCreator
) IAM role on the service account. For more information about granting roles, see Manage access to projects, folders, and organizations.This predefined role contains the
iam.serviceAccounts.getAccessToken
permission, which is required to impersonate a service account.Your administrator might also be able to give the principal this permission with custom roles or other predefined roles.
- Open a terminal in your workstation or navigate to one that is already open.
- To set the
impersonate_service_account
property, enter the followinggcloud
CLI command:gcloud config set auth/impersonate_service_account=SERVICE_ACCT_EMAIL
- Your
gcloud
CLI credentials are now saved and available when you use your workstation in future sessions.
For more information, see Use service account impersonation.
What's next
- Learn more about SSH support.
- See a list of workstation configuration parameters.
- Access control with Identity and Access Management and Cloud Workstations