Google Cloud Authentication

Screenshot showing three main types of credentials. Source: Devopedia 2021.
Screenshot showing three main types of credentials. Source: Devopedia 2021.

Google Cloud supports three main types of credentials by which apps can gain access to APIs and services. These are API keys, OAuth 2.0 client IDs and service accounts. This article gives an overview of these methods. It offers some guidelines on how to choose the right authentication method for an application.

Improper use of these methods or careless management of credentials can lead to a security breach. It can result in identity theft and data theft/loss. This article shares some best practices for better security.

Discussion

  • What are the different authentication methods available in Google Cloud?

    Anyone with a Google account can login to Google by supplying a valid username and password. Two-Factor Authentication (2FA) enhances security by adding one more step to the authentication process. In Google, 2FA is called 2-Step Verification. For a better user experience, Google also provides Sign In with Google, One Tap and Automatic sign-in.

    Often developers want their apps to have access to Google accounts or services, for the apps themselves or on behalf of end users. Google offers two ways to achieve this:

    • User Account: Represents a developer or administrator. Used when an application needs to access Google Cloud resources on behalf of the user. Managed by Google Accounts. Credentials used include API keys and OAuth 2.0 client credentials.
    • Service Account: Represents non-human users. Used when an application needs to access Google Cloud resources on its own without any user intervention. Managed by Google's Identity and Access Management (IAM). Credentials include service account keys. Unlike a user account, a service account doesn't have a user-facing login interface.

    Google Cloud APIs use OAuth 2.0 protocol to authenticate both user accounts and service accounts.

  • How do I select a suitable Google Cloud authentication method?
    Mapping application requirement to a suitable authentication method. Source: Adapted from Google Cloud Docs 2021a.
    Mapping application requirement to a suitable authentication method. Source: Adapted from Google Cloud Docs 2021a.

    Many Google Cloud APIs allow anonymous access to public data. API keys can be used. These identify the application, not the actual user.

    If your app requires access to a user's private data, then OAuth 2.0 client ID can be used. In OAuth 2.0 terminology, your application is called the client. The client ID identifies the application. The user is prompted to allow Google share some of his/her data with your application. Your application can now use Google Cloud APIs on behalf of the user.

    Where user authorization is not possible, use a service account. For apps running inside Google Cloud, it's automatically created. Otherwise, you manually create a service account. You download the credentials as a JSON file that your app can use. Your app assumes the identity of the service account so that users are not involved. Such server-to-server interactions are sometimes called Two-Legged OAuth (2LO).

  • Could you share some use cases for each Google Cloud authentication method?
    A selection of Google Cloud APIs, mostly accessible via API keys. Source: Adapted from Dr Droid 2017.
    A selection of Google Cloud APIs, mostly accessible via API keys. Source: Adapted from Dr Droid 2017.

    Google Cloud has dozens of APIs that can be accessed via API keys or OAuth 2.0 client IDs. Some of these APIs are Google Drive, Google Calendar, GMail, YouTube Data, App Engine Admin, Cloud Datastore, Cloud Speech-to-Text, Cloud Vision, Firebase Management, and many more.

    For example, YouTube Data API can be used read metadata of any video. It's implemented via the videos endpoint. Since this is public data, an API key is sufficient. The same API also allows an app to manage videos and playlists that you own. This requires OAuth 2.0 client ID.

    Managing your appointments on Google Calendar or your drafts on GMail are further examples where OAuth 2.0 client ID can be used. Web/mobile apps can use OAuth 2.0 client ID for visitors to quickly create accounts on their platforms.

    Consider an external application that wants to store nightly data backups to Google Drive. A service account suits this use case.

  • Could you share some tips related to Google Cloud authentication?

    API keys, OAuth 2.0 client IDs and service accounts are typically created via a web interface called Google Cloud Console. In all cases, the credentials fall within the scope of a project that has an associated billing account. Advanced users can look at the API Keys API to create or manage API keys via gcloud CLI. gcloud can also be used to manage service accounts.

    Developers can try out APIs using the Google API Explorer. This helps in understanding the APIs before doing it programmatically from application code. While it's possible to implement OAuth 2.0 flows, it's easier to use Google Cloud Client Libraries.

    When using OAuth 2.0 client IDs, code your apps to ask for minimum required permissions. This is done by setting scopes. Google maintains a list of available OAuth 2.0 Scopes per API.

    For local development, use gcloud auth login and gcloud auth application-default login commands. Use short-lived tokens.

  • What are some best practices when using API keys?
    API keys are for projects, authentication is for users. Source: Google Cloud Docs 2021f.
    API keys are for projects, authentication is for users. Source: Google Cloud Docs 2021f.

    Don't embed API keys directly in code. Store them in environment variables or in files outside your application's version controlled source code. Do a code review to ensure API keys aren't there by mistake.

    When not used, delete API keys to minimize security attacks. Regenerate API keys periodically.

    For better security, place restrictions on the use of API keys:

    • Source: Restrictions on who can use the key. Restrict by HTTP referrers, IP addresses, Android apps or iOS apps. HTTP referrers can be whitelisted by subdomains, paths, protocols (HTTP or HTTPS) and even wildcards.
    • Target: Restrictions on what services are allowed. For example, restrict the key to only Google Drive API.

    API keys are vulnerable to man-in-the-middle attacks since they're part of the request. Don't use them when API calls contain user data.

    Don't use API keys to identify users. An API key only identifies the project. Don't use API keys for secure authorization. API keys are useful to block anonymous traffic, control volume of API requests, identify usage patterns, or filter logs by the API key.

  • What are some best practices when using service accounts?
    Choosing a service account. Source: Google Cloud Docs 2021g.
    Choosing a service account. Source: Google Cloud Docs 2021g.

    Service accounts are both a resource and an identity. As an identity, avoid granting Owner/Editor/Viewer roles to a service account. Grant instead a predefined or custom role. In general, grant only minimum necessary permissions.

    Use unique, descriptive names so that it's easier to manage multiple accounts. Delete accounts if they're unused since they present a security risk. Disable accounts before deleting them.

    Service account keys are either Google Cloud-managed or user-managed. For the latter, follow processes for key storage, distribution, revocation, rotation and recovery.

    Don't use service accounts to access data without user consent. Don't use service accounts during development. Instead authenticate using tools such as gcloud, gsutil, terraform, etc. In other words, use your personal credentials in a development environment.

    You can attach applications to an existing service account. On a GKE cluster, use multiple Google Cloud and Kubernetes service accounts and map them via Workload Identity.

Milestones

Apr
2008

Google previews App Engine, a platform for developing and hosting web applications in Google-managed data centres. App Engine is therefore the first cloud service offered by Google. It marks the birth of Google Cloud.

Oct
2012

IETF releases OAuth 2.0 as RFC 6749. Although OAuth 2.0 is designed for authorization and not for user authentication, Google Cloud later uses OAuth 2.0 for both authorization and authentication.

Mar
2011
Google API Explorer interface for the projects.tenants.companies.list endpoint of Cloud Talent Solution API. Source: Google Cloud Docs 2021i.
Google API Explorer interface for the projects.tenants.companies.list endpoint of Cloud Talent Solution API. Source: Google Cloud Docs 2021i.

Google launches Google API Explorer that allows developers to experiment with Google's APIs before implementing them in their apps. By August 2021, the Explorer supports 230 APIs. API keys and OAuth 2.0 client IDs can be used with the Explorer.

Aug
2021
Seamless sign-in and sign-up flows using Google Identity Services. Source: Google Developers 2021b.
Seamless sign-in and sign-up flows using Google Identity Services. Source: Google Developers 2021b.

Google launches Google Identity Services, a single SDK that brings together different ways of authenticating users. It provides developers frictionless flows to onboard users to their platforms. Sign in with Google and One Tap are two such flows. These use secure tokens rather than passwords. These internally use OAuth 2.0. Developers can use client libraries provided by Google to quickly implement these flows. An alternative is Firebase Authentication.

References

  1. Dr Droid. 2017. "List of Google APIs." Androhub, November 11. Accessed 2021-09-28.
  2. Falconer, Joel. 2011. "Google launches API Explorer." The Next Web, March 8. Accessed 2021-09-29.
  3. Garun, Natt, and Barbara Krasnoff. 2021. "How to set up two-factor authentication on your online accounts." The Verge, June 10. Accessed 2021-09-28.
  4. Google. 2021. "Google 2-Step Verification." Google. Accessed 2021-09-28.
  5. Google Cloud Docs. 2021a. "Authentication overview." Authentication, Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  6. Google Cloud Docs. 2021b. "Getting started with authentication." Authentication, Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  7. Google Cloud Docs. 2021c. "Best practices to securely authenticate applications in Google Cloud." Authentication, Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  8. Google Cloud Docs. 2021d. "Authenticating as an end user." Authentication, Documentation, Google Cloud, September 24. Accessed 2021-09-28.
  9. Google Cloud Docs. 2021e. "Using API keys." Authentication, Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  10. Google Cloud Docs. 2021f. "Why and when to use API keys." OpenAPI, Cloud Endpoints Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  11. Google Cloud Docs. 2021g. "Best practices for using and managing service accounts." IAM Documentation, Google Cloud, September 24. Accessed 2021-09-28.
  12. Google Cloud Docs. 2021h. "Understanding service accounts." IAM Documentation, Google Cloud, September 24. Accessed 2021-09-28.
  13. Google Cloud Docs. 2021i. "Try Cloud Talent Solution using the API Explorer." Cloud Talent Solution Documentation, Google Cloud, September 22. Accessed 2021-09-29.
  14. Google Cloud Docs. 2021j. "Authenticating Users." App Engine Documentation, Google Cloud, September 27. Accessed 2021-09-29.
  15. Google Cloud Docs. 2021k. "Getting started with API Keys." App Keys API Documentation, Google Cloud, September 23. Accessed 2021-09-29.
  16. Google Developers. 2020. "Videos." YouTube Data API, v3, Documentation, Google Developers, July 28. Accessed 2021-09-29.
  17. Google Developers. 2021a. "Using OAuth 2.0 for Server to Server Applications." OAuth 2.0, Google Identity, Google Developers, August 19. Accessed 2021-09-28.
  18. Google Developers. 2021b. "Sign In With Google." Google Identity, Google Developers. Accessed 2021-09-28.
  19. Google Developers. 2021c. "Google APIs Explorer." Google Developers. Accessed 2021-09-29.
  20. Google Developers. 2021d. "OAuth 2.0 Scopes for Google APIs." Google Identity, Google Developers, February 23. Accessed 2021-09-29.
  21. Hardt, D. ed. 2012. "The OAuth 2.0 Authorization Framework." RFC 6749, IETF, October. Accessed 2021-09-29.
  22. OAuth.com. 2017. "Authorization vs Authentication." August 10. Updated 2018-07-12. Accessed 2021-09-29.
  23. Pearson, Ben Lloyd. 2020. "How to Integrate Users Into Your App With Google OAuth 2.0." Blog, Nylas, April 23. Accessed 2021-09-29.
  24. Stilliard, Andrew. 2018. "gdrive backups with service accounts." Blog, Stapps.io, January 22. Accessed 2021-09-29.
  25. Verley, Filip. 2021. "Launching our new Google Identity Services APIs." Blog, Google Developers, August 3. Accessed 2021-09-29.
  26. Wikipedia. 2021. "Google Cloud Platform." Wikipedia, September 13. Accessed 2021-09-29.

Further Reading

  1. Google Cloud Docs. 2021a. "Authentication overview." Authentication, Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  2. Google Cloud Docs. 2021b. "Getting started with authentication." Authentication, Documentation, Google Cloud, September 22. Accessed 2021-09-28.
  3. Google Cloud Docs. 2021k. "Setting Up Access Control." App Engine Documentation, Google Cloud, September 27. Accessed 2021-09-29.

Article Stats

Author-wise Stats for Article Edits

Author
No. of Edits
No. of Chats
DevCoins
2
0
935
1383
Words
0
Likes
9
Hits

Cite As

Devopedia. 2021. "Google Cloud Authentication." Version 2, September 29. Accessed 2021-09-29. https://devopedia.org/google-cloud-authentication
Contributed by
1 author


Last updated on
2021-09-29 11:15:39
  • OAuth
  • API Key Management
  • JSON Web Token
  • Google Cloud Platform
  • Google Cloud Service Account
  • Authentication as a Service