Using Standard HTTP headers for Google Cloud Client Libraries

2021-12-17

GCP Cloud APIs supports a variety of system-headers described here

This section will briefly cover the following headers, when you would use them and how to add them to your API calls.


Authorization

This is the standard header used to authenticate in both REST and gRPC. For REST, it can be set either as a query parameter (&access_token) or as an HTTP header in the form Authorization: Bearer [access_token]. For gRPC, this header is sent in within a gRPC metadata key. Thee tokens are automatically included and attached in when using the GCP Cloud Libraries after local authentication credentials are acquired though Application Default Credentials

These authentication tokens come in several flavors but principally these tokens are Oauth2 tokens issued by Google through one of the flows described in Using OAuth 2.0 to Access Google APIs.

GCP also supports several other token types and mechanisms to exchange third party identities for GCP credentials but ultimately, these tokens are emitted to GCP using this header value.

  • access_token: These are oauth2 access tokens that generally grant access to the GCP resource associated with that user subject to the scopes defined within that token.

  • id_token: These are OpenID Connect tokens issued by Google that is used by callers against user-deployable resource. In this context, a user resource is an application you deploy on a service like Cloud Run, Cloud Functions, Cloud Endpoints. These tokens are also emitted by certain GCP services to authenticate itself to remote services. For more information, see Authenticating using Google OpenID Connect Tokens

  • jwt_access_token: These tokens are a Google-specific oauth to optimization casually described in an Addendum: Service account authorization without OAuth. Basically, this flow uses a service account key to generate a specific JWT which indicates the destination service and is signed by a service account entitled to access that service. The JWT is sent directly to the service and does not involve an intermediate exchange for an access_token. For more information, see Using JWT AccessTokens.

You can print out the details of these tokens using curl and the oauth2 tokeninfo endpoint shown below. id_tokens are just JWTs which you can decode anywhere (eg jwt.io)

$ curl -s https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=`gcloud auth print-access-token` | jq '.'
{
  "azp": "32555940559.apps.googleusercontent.com",
  "aud": "32555940559.apps.googleusercontent.com",
  "sub": "1081579130932748411228",
  "scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/accounts.reauth",
  "exp": "1640026115",
  "expires_in": "3598",
  "email": "user@domain.com",
  "email_verified": "true"
}
$ curl -s https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=`gcloud auth application-default print-access-token` | jq '.'
{
  "azp": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
  "aud": "764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com",
  "sub": "1081579130932748411228",
  "scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth",
  "exp": "1640026184",
  "expires_in": "3598",
  "email": "user@domain.com",
  "email_verified": "true"
}
$ curl -s https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=`gcloud auth print-identity-token` | jq '.'
{
  "iss": "https://accounts.google.com",
  "azp": "32555940559.apps.googleusercontent.com",
  "aud": "32555940559.apps.googleusercontent.com",
  "sub": "10449703227021975232",
  "hd": "domain.com",
  "email": "user1@domain.com",
  "email_verified": "true",
  "at_hash": "tBcn_NJEadsztkeLPtna6A",
  "iat": "1640024536",
  "exp": "1640028136",
  "alg": "RS256",
  "kid": "d98f49bc6ca4581eae8dfadd494fce10ea23aab0",
  "typ": "JWT"
}

You might be wondering what the audiences 32555940559.apps.googleusercontent.com and 764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com are. These are the client_id associated with the gcloud and Application Default credentials, respectively. For more info on that, see gcloud alias for Application Default Credentials

You can use these headers directly in curl based commands

The following acquires an access_token and calls a GCP resource

export TOKEN=`gcloud auth print-access-token`

curl -s -H "Authorization: Bearer $TOKEN" https://storage.googleapis.com/storage/v1/b/$BUCKET/o/foo.txt

The following issues an id_token with a STATIC aud: value of 32555940559.apps.googleusercontent.com. Normally, cloud run requires the audience value to match the service name. However, a special allow list was granted for Cloud Run here that allows this through. The following will NOT work for resourced protected by IAP.

export ID_TOKEN=`gcloud auth print-identity-token`

curl -H "Authorization: Bearer $ID_TOKEN" https://cloud_run_url

The following uses service accounts own id_token and then specifies the audience the token should have. The value here matches what Cloud Run expects so the request is allowed through

export ID_TOKEN=`gcloud auth print-identity-token --impersonate-service-account=target-svc-account@developer.gserviceaccount.com  --audiences=https://cloud_run_url`

curl -H "Authorization: Bearer $ID_TOKEN" https://cloud_run_url

The default access_token is emitted by default through Application Default Credentials flow. Using id_token and jwt_access_tokens may require special constructors

For usage with jwt_access_tokens. Note this is currently a rare API auth flow and must be done by the caller.

Use google.auth.jwt.Credentials and specify the audience= value as shown

TODO: sample

Use google.JWTAccessTokenSourceFromJSON

    aud := "https://pubsub.googleapis.com/google.pubsub.v1.Publisher"
	tokenSource, err := google.JWTAccessTokenSourceFromJSON(keyBytes, aud)

	client, err := pubsub.NewClient(ctx, *projectID, option.WithTokenSource(tokenSource))

Use google.auth.JWTAccess

TODO: sample

Not sure how to use this in node

X-Goog-FieldMask

FieldMasks are used to request Partial Responses from a GCP API.

For more information on using it, see examples in Using FieldMask

X-Goog-Api-Key

Google API keys are used by some services metering and billing. Almost no GCP service uses API key alone and elects to use the oauth2 bearer tokens described above.

However, some services like the Natural Language APIs allows for both types of tokens. If an API key is used, its a static token that must be handled and secured. When the API key is used, the project that is associated with the key incurs quota and usage costs.

For example, using API key from ProjectA, the consumer project needs the service enabled (thats still projectA)

$ curl --request POST   "https://language.googleapis.com/v1/documents:analyzeEntities?key=$API_KEY" \
    --header 'Accept: application/json'   --header 'Content-Type: application/json'  \
    --data '{"document":{"content":"Hello World","type":"PLAIN_TEXT"}}'
{
  "error": {
    "code": 403,
    "message": "Cloud Natural Language API has not been used in project 248066739555 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/language.googleapis.com/overview?project=248066739555 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.Help",
        "links": [
          {
            "description": "Google developers console API activation",
            "url": "https://console.developers.google.com/apis/api/language.googleapis.com/overview?project=248066739555"
          }
        ]
      },
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "SERVICE_DISABLED",
        "domain": "googleapis.com",
        "metadata": {
          "service": "language.googleapis.com",
          "consumer": "projects/248066739555"
        }
      }
    ]
  }
}

After api enablement, calls succeed and the API usage is logged

$ curl --request POST   "https://language.googleapis.com/v1/documents:analyzeEntities?key=$API_KEY"   --header 'Accept: application/json'   --header 'Content-Type: application/json'   --data '{"document":{"content":"Hello World","type":"PLAIN_TEXT"}}'
{
  "entities": [
    {
      "name": "Hello World",
      "type": "WORK_OF_ART",
      "metadata": {
        "mid": "/m/03lm3",
        "wikipedia_url": "https://en.wikipedia.org/wiki/\"Hello,_World!\"_program"
      },
      "salience": 1,
      "mentions": [
        {
          "text": {
            "content": "Hello World",
            "beginOffset": -1
          },
          "type": "PROPER"
        }
      ]
    }
  ],
  "language": "en"
}

images/api_usage.png

For more information, see

Cloud Endpoints also uses it to rate limit quota (Configuring quotas)

TODO

TODO

const language = require('@google-cloud/language');
const {GoogleAuth, grpc} = require('google-gax');
const apiKey = 'AIza-API_KEY';

function getApiKeyCredentials() {
  const sslCreds = grpc.credentials.createSsl();
  const googleAuth = new GoogleAuth();
  const authClient = googleAuth.fromAPIKey(apiKey);
  const credentials = grpc.credentials.combineChannelCredentials(
    sslCreds,
    grpc.credentials.createFromGoogleCredential(authClient)
  );
  return credentials;
}

async function main() {
  const sslCreds = getApiKeyCredentials();
  const client = new language.LanguageServiceClient({sslCreds});
  const text = 'Hello, world!';
  const document = {
    content: text,
    type: 'PLAIN_TEXT',
  };

  const [result] = await client.analyzeSentiment({document: document});
  const sentiment = result.documentSentiment;
  console.log(`Text: ${text}`);
  console.log(`Sentiment score: ${sentiment.score}`);
  console.log(`Sentiment magnitude: ${sentiment.magnitude}`);
}
main().catch(console.error);

from StackOverflow

X-Goog-Quota-User

This parameter is normally used with the API key to identity and control rate limits per caller.

It is not used in Google Cloud APIs.

X-Goog-Api-Client

The x-goog-api-client is intended for use by Google-written clients for metrics.

Users can submit UserAgent metadata in api calls. option.WithUserAgent

X-Goog-Request-Reason

Also See Request Annotation with Cloud Audit Logging and Monitoring on GCP

X-Goog-User-Project

Used to allow the caller to redirect quota and billing. Requires the caller to have the serviceusage.services.use permission on the target project

See GCP Quota and Cost Distribution between Projects

Use client_options.quota_project_id()

quota_project_id (Optional[str]) – A project name that a client’s quota belongs to.

TODO


This site supports webmentions. Send me a mention via this form.



comments powered by Disqus