Authenticate and setup API access within a workstation

This document describes how to authenticate and set up API access within a workstation. For general information about Google Cloud authentication, see the authentication overview.

Authenticate as a user with Google Cloud CLI

After you launch Cloud Workstations, you can access Google Cloud services and the API using your user accounts through the gcloud CLI.

  1. Open a terminal in your workstation. The way you open a terminal window depends on the IDE that you're using. For example, if you're using the Cloud Workstations base editor, open a terminal by selecting Terminal > New Terminal, or by pressing Control+Shift+`.
  2. Authenticate with the following command:
    gcloud auth login --no-launch-browser
  3. Follow the instructions provided by the command to authenticate to Google Cloud.
  4. Specify your Google Cloud project ID with the following command:
    gcloud config set project PROJECT_ID
  5. Enable Application Default Credentials to allow you to call Google Cloud services.
    gcloud auth application-default login
  6. Your gcloud CLI credentials are now saved and available when you use your workstation in future sessions.

Issue an HTTP request to a workstation

To issue an HTTP request to a workstation, you need an access token for an account that has the Cloud Workstations User role on that workstation:

  1. Generate an access token using the generateAccessToken API method.
  2. Add an HTTP header named Authorization with the value Bearer $TOKEN.

Connect to the workstation in your browser

Opening your workstation URL in your browser automatically authenticates through a redirect to the workstations server, and retrieves an access token generated by the generateAccessToken API method. This redirects back to your workstation and sets an authentication cookie that is valid for your current workstation session.

To skip this redirect, use the _workstationAccessToken URL parameter:

  1. Generate an access token using the generateAccessToken API method.
  2. Open your workstation URL in the browser and append a URL parameter with the following form: _workstationAccessToken=TOKEN.

This sets an authentication cookie in your browser that allows access for your current workstation session. Skipping the redirect can be helpful when access to the workstation server is blocked by network policies, or when using iframes to display the workstation in other sites.

Impersonate a service account

If your organization's security policies prevent user accounts from having the required permissions, you can also impersonate a service account. To impersonate the service account specified on your workstation configuration, you can specify the service account scopes field.

        gcloud workstations configs create CONFIG \
            --cluster=CLUSTER \
            --region=REGION \
            --project=PROJECT \
            --service-account=SERVICE_ACCOUNT \
            --service-account-scopes=https://www.googleapis.com/auth/cloud-platform
      
When specified, users of workstations under this configuration must have iam.serviceAccounts.actAs permission on the service account. For more information on specifying scopes for the service account, see Access scopes.

What's next