Currently, I am using some xxxx service account credential json file to make REST API Calls
from logging import exceptionimport requestsimport astimport jsonimport reimport sysimport subprocessimport osfrom googleapiclient import discoveryfrom oauth2client.client import GoogleCredentialsfrom google.oauth2 import service_accountfrom datetime import datetimefrom datetime import timedeltamain_list = []# Get the credentials from service accountcredentials = service_account.Credentials.from_service_account_file("path to the json file")service = discovery.build('cloudresourcemanager', 'v1', credentials=credentials)I do not want to use this json file anymore, instead i want to use Compute Engine service account (xxx-compute@developer.gserviceaccount.com) to call API’s, Can someone tell me what change i have to do in python so that it uses VM’s service account??
Advertisement
Answer
I encourage you to use Application Default Credentials (ADC).
See this Python example.
ADCs means your code is unchanged whether you run it locally or on Google Cloud.
When you test your code off Google Cloud, you can export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/key.json and ADC will use the exported credentials.
When you deploy your code to Google Cloud, ADC obtains the credentials (for the resource that’s running the code) from Google’s Metadata service.
For example, when you run ADC code on Compute Engine, ADC will obtain the instance’s (!) Service Account.
You should try to always use instance|role-specific Service Accounts but the default Compute Engine account is a Service Account too and will work.
Be aware that you’ll need to ensure that whatever Service Account(s) is/are used have the correct IAM permissions to access other services.