无需在谷歌应用引擎上下载密钥即可验证服务帐户 [英] Authenticate service account without downloaded key on google app engine

问题描述

我正在开发一个应该安装在 Google App Engine 中的产品.

I am working on a product that is supposed to be installed in Google App Engine.

在这里，我使用服务帐户来验证 Gmail API、Drive API、Calendar API 等.

In this I am using Service account for authenticating Gmail API, Drive API, Calendar API etc.

使用下载的 P12 文件作为身份验证可以正常工作.但作为它的产品，我不希望客户端在每次安装时下载和上传应用程序.

Its working fine with downloaded P12 file as authentication. But as its product I don't want client to download and upload on app on every install.

有没有办法在没有私钥文件的情况下对其进行身份验证，或者在没有服务帐户的情况下使用该 API.

Can there be a way to authenticate it without privatekey file or using that API without service account.

在下面的页面中提到有系统管理的密钥对由 Google 自动管理.有帮助吗?我没有找到任何例子.

In below page its mentioned that there is System-managed key-pairs are managed automatically by Google. Can it be helpful? I did't find any example of it.

https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys

在下面的链接中，它建议对于 Google Cloud Platform 我应该使用 Google Managed Keyhttps://cloud.google.com/iam/docs/understanding-service-帐户

In below link it suggest that for Google Cloud Platform I should use Google Managed Key https://cloud.google.com/iam/docs/understanding-service-accounts

这个密钥可以不用下载文件吗?

Can this key used without downloaded file ?

谢谢

推荐答案

我可以通过 IAM API 实现https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys

I could achieve it by IAM API https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys

下面是它的Java代码

Below is Java code for it

AppIdentityCredential credential = new AppIdentityCredential(
                Arrays.asList("https://www.googleapis.com/auth/cloud-platform"));
Iam iam = new Iam(httpTRANSPORT, jsonFACTORY, credential);
try {
    Iam.Projects.ServiceAccounts.Keys.Create keyCreate = iam.projects().serviceAccounts().keys()
                    .create("projects/myProject/serviceAccounts/myProject@appspot.gserviceaccount.com", new CreateServiceAccountKeyRequest());

    ServiceAccountKey key = keyCreate.execute();

} catch (IOException e) {
    System.out.println(e.getMessage());
}

任何密钥都可用于生成 GoogleCredential 如下

Any key can be used to generate GoogleCredential as below

InputStream stream = new ByteArrayInputStream(key.decodePrivateKeyData());
GoogleCredential credential = GoogleCredential.fromStream(stream);

这篇关于无需在谷歌应用引擎上下载密钥即可验证服务帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！