Authenticate and setup API access within a workstation

This document describes how to authenticate and set up API access within a workstation. For general information about Google Cloud authentication, see the authentication overview.

Authenticate as a user with Google Cloud CLI

After you launch Cloud Workstations, you can access Google Cloud services and the API using your user accounts through the gcloud CLI.

1. Open a terminal in your workstation. The way you open a terminal window depends on the IDE that you're using. For example, if you're using the Cloud Workstations base editor, open a terminal by selecting Terminal > New Terminal, or by pressing Control+Shift+`.
2. Authenticate with the following command:

   gcloud auth login --no-launch-browser

3. Follow the instructions provided by the command to authenticate to Google Cloud.
4. Specify your Google Cloud project ID with the following command:

   gcloud config set project PROJECT_ID

5. Enable Application Default Credentials to allow you to call Google Cloud services.

   gcloud auth application-default login

6. Your gcloud CLI credentials are now saved and available when you use your workstation in future sessions.

Issue an HTTP request to a workstation

To issue an HTTP request to a workstation, you need an access token for an account that has the Cloud Workstations User role on that workstation:

1. Generate an access token using the generateAccessToken API method.
2. Add an HTTP header named Authorization with the value Bearer $TOKEN.

Connect to the workstation in your browser

Opening your workstation URL in your browser automatically authenticates through a redirect to the workstations server, and retrieves an access token generated by the generateAccessToken API method. This redirects back to your workstation and sets an authentication cookie that is valid for your current workstation session.

To skip this redirect, use the _workstationAccessToken URL parameter:

1. Generate an access token using the generateAccessToken API method.
2. Open your workstation URL in the browser and append a URL parameter with the following form: _workstationAccessToken=TOKEN.

This sets an authentication cookie in your browser that allows access for your current workstation session. Skipping the redirect can be helpful when access to the workstation server is blocked by network policies, or when using iframes to display the workstation in other sites.

Impersonate a service account

If your organization's security policies prevent user accounts from having the required permissions, you can also impersonate a service account using the gcloud CLI impersonate_service_account property.

1. To ensure that the principal has the necessary permission to impersonate a service account, ask your administrator to grant the principal the Service Account Token Creator (roles/iam.serviceAccountTokenCreator) IAM role on the service account. For more information about granting roles, see Manage access.

   This predefined role contains the iam.serviceAccounts.getAccessToken permission, which is required to impersonate a service account.

   Your administrator might also be able to give the principal this permission with custom roles or other predefined roles.

2. Open a terminal in your workstation or navigate to one that is already open.
3. To set the impersonate_service_account property, enter the following gcloud CLI command:

   gcloud config set auth/impersonate_service_account=SERVICE_ACCT_EMAIL

4. Your gcloud CLI credentials are now saved and available when you use your workstation in future sessions.

For more information, see Use service account impersonation.

What's next

• Learn more about SSH support.
• See a list of workstation configuration parameters.
• Access control with Identity and Access Management and Cloud Workstations