SlideShare una empresa de Scribd logo

CIS13: dentity in the Enterprise: Using OAuth in Google’s Cloud Platform and Identity and Security in Google Apps

CloudIDSummit
CloudIDSummit

Eran Feigenbaum, Director of Security, Google Apps Adam Eijdenberg, Product Manager, Google This session will provide two 30 minute modules on Google’s enterprise and cloud platform products. First, we will explain how to leverage Google’s Cloud Platform resources using OAuth 2.0; we’ll highlight key use cases and explain how to build solutions using practical code examples. Next, we will provide insight into Google’s approach to identity, security and compliance with Google Apps.

TecnologíaEmpresariales
1 de 53
Descargar para leer sin conexión
Developers
Google Cloud Platform: Applications have identity too! Adam Eijdenberg Product Manager eijdenberg@google.com goo.gl/D6ZKz
What are we covering today? ● Authentication ○ From first principles, using Google Client Libraries ○ From anywhere, Google App Engine, Google Compute Engine ● Authorization
Let's make an API call
All I want to do is make an API call! ● What is the minimum I need to do to make a successful API call against a Google API? GET /bigquery/v2/projects/1234/datasets HTTP/1.1 Host: www.googleapis.com Authorization: Bearer yaXXXXXXXXXX ● You need a token - This presentation will show you how to get one - painlessly!
What is a token? ● Called an "Access Token" - identifies 3 things to Google: 1. The application (called Client) making the request 2. The User (if applicable) authorizing the request 3. What class of actions the user has authorized the application to perform (called Scope)
How do I get one? ● This depends on whose data is being accessed ● Data owned by a Google user ■ e.g. show consent screen for your application to access data on behalf of a user, e.g. Google Drive, Google Calendar ● Data owned by my application or provided by Google ■ e.g. Google Cloud Storage, Google BigQuery API, Google Compute Engine ● This presentation will focus on accessing data belonging to your application - typical pattern for Cloud Platform APIs
Configuring the project
Accessing data owned by my application ● Let's get started with BigQuery https://developers.google.com/console/
Project ● Container for: ○ Resources ■ Google Cloud Storage buckets ■ Google Compute Engine virtual machines ■ BigQuery datasets ○ Registered applications and credentials ● Holds configuration for: ○ Authorization ○ Billing / quota management ○ Services enabled
Enable the service ● Remember the access token identifies the application making the request? ● The API you are calling must be enabled within the project where the application is registered (next step)
Create a service account ● A service account is a non-human user ● Allows your application to make API calls on behalf of itself ● Identity for your application - like a role account
Branding Information screen ● The first time a Client is created you will be prompted for the following - this is not used for application authentication.
Select "Service Account"
Download key
Take note of the email address
Let's get an access token
Create an assertion yyyyyyy@developer.gserviceaccount.com https://www.googleapis.com/auth/bigquery
Create an assertion import time now = long(time.time()) { "iss": "yyyyyyy@developer.gserviceaccount.com", "scope": "https://www.googleapis.com/auth/bigquery", "aud": "https://accounts.google.com/o/oauth2/token", "exp": now + (60 * 60), "iat": now }
Create an assertion import time, json, base64 now = long(time.time()) assertion_input = "%s.%s" % ( base64.urlsafe_b64encode( json.dumps({"alg": "RS256", "typ": "JWT"}).encode("UTF-8") ).rstrip("="), base64.urlsafe_b64encode(json.dumps({ "iss": "yyyyyyy@developer.gserviceaccount.com", "scope": "https://www.googleapis.com/auth/bigquery", "aud": "https://accounts.google.com/o/oauth2/token", "exp": now + (60 * 60), "iat": now }).encode("UTF-8")).rstrip("="))
Sign it - and swap it xxxxxxxx-privatekey.p12 notasecret
Sign it - and swap it import urllib from OpenSSL import crypto urllib.urlencode({ "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "assertion": "%s.%s" % (assertion_input, base64.urlsafe_b64encode(crypto.sign(crypto.load_pkcs12( file("xxxxxxxx-privatekey.p12", "rb").read(), "notasecret").get_privatekey(), assertion_input, "sha256")).rstrip("=")) })
Sign it - and swap it import urllib2, urllib from OpenSSL import crypto access_token = json.loads(urllib2.urlopen("https://accounts.google.com/o/oauth2/token", urllib.urlencode({ "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "assertion": "%s.%s" % (assertion_input, base64.urlsafe_b64encode(crypto.sign(crypto.load_pkcs12( file("xxxxxxxx-privatekey.p12", "rb").read(), "notasecret").get_privatekey(), assertion_input, "sha256")).rstrip("=")) })).read())["access_token"]
Result { "access_token" : "yaXXXXXXXXXXXXXXXXXXXXXXXX", "token_type" : "Bearer", "expires_in" : 3600 }
Try using it print urllib2.urlopen(urllib2.Request( "https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id", headers={'Authorization': 'Bearer %s' % access_token} )).read()
Try using it print urllib2.urlopen(urllib2.Request( "https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id", headers={'Authorization': 'Bearer %s' % access_token} )).read() Result: { "kind": "bigquery#datasetList", "etag": "..." }
Using Google Client libraries yyyyyyyyyyy@developer.gserviceaccount.com xxxxxxxxxxx-privatekey.p12 https://www.googleapis.com/auth/bigquery
Using Google Client libraries import httplib2 from oauth2client.client import SignedJwtAssertionCredentials http = SignedJwtAssertionCredentials( "yyyyyyyyyyy@developer.gserviceaccount.com", file("xxxxxxxxxxx-privatekey.p12", "rb").read(), scope="https://www.googleapis.com/auth/bigquery" ).authorize(httplib2.Http())
Use authorized HTTP object directly print http.request("https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id")[1]
Use authorized HTTP object directly print http.request("https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id")[1] Result: { "kind": "bigquery#datasetList", "etag": "..." }
Or the full client library stack from apiclient.discovery import build service = build('bigquery', 'v2') print service.datasets().list(projectId="my-test-project-id").execute(http)
Or the full client library stack from apiclient.discovery import build service = build('bigquery', 'v2') print service.datasets().list(projectId="my-test-project-id").execute(http) Result: { "kind": "bigquery#datasetList", "etag": "..." }
Google hosted environments
Google hosted environments ● Built-in service account support provided for: ■ Google Compute Engine ■ Google App Engine ● You need to add the Google App Engine service account email address to the team for the project that contains the data you wish to access. ● For some APIs you will also need to pass an API key in the request
Use built-in identity in Google App Engine # Built-in: https://www.googleapis.com/auth/bigquery
Use built-in identity in Google App Engine # Built-in: from google.appengine.api import app_identity access_token, ttl = app_identity.get_access_token( "https://www.googleapis.com/auth/bigquery")
Use built-in identity in Google App Engine # Built-in: from google.appengine.api import app_identity access_token, ttl = app_identity.get_access_token( "https://www.googleapis.com/auth/bigquery") # With client library: https://www.googleapis.com/auth/bigquery
Use built-in identity in Google App Engine # Built-in: from google.appengine.api import app_identity access_token, ttl = app_identity.get_access_token( "https://www.googleapis.com/auth/bigquery") # With client library: from oauth2client.appengine import AppAssertionCredentials http = AppAssertionCredentials( "https://www.googleapis.com/auth/bigquery").authorize(httplib2.Http())
Use built-in identity in Google Compute Engine # When starting your VM - authorize the VM to use the scope you need: gcutil --project=my-test-project-id addinstance foobar --service_account_scopes=https://www.googleapis.com/auth/bigquery
Use built-in identity in Google Compute Engine # When starting your VM - authorize the VM to use the scope you need: gcutil --project=my-test-project-id addinstance foobar --service_account_scopes=https://www.googleapis.com/auth/bigquery # Inside the VM: curl "http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token"
Use built-in identity in Google Compute Engine # When starting your VM - authorize the VM to use the scope you need: gcutil --project=my-test-project-id addinstance foobar --service_account_scopes=https://www.googleapis.com/auth/bigquery # Inside the VM: curl "http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token" # Result: { "access_token" : "yaXXXXXXXXXXXXXXXXXXXXXXXX", "token_type" : "Bearer", "expires_in" : 3600 }
Use client library on Google Compute Engine https://www.googleapis.com/auth/bigquery
Use client library on Google Compute Engine from oauth2client.gce import AppAssertionCredentials http = AppAssertionCredentials( "https://www.googleapis.com/auth/bigquery").authorize(httplib2.Http())
Authentication - summary ● Your applications need an identity (like a role account) when they access Google APIs ● When running in Google App Engine or Google Compute Engine use built-in credentials ● When running elsewhere (including local Google App Engine development) create a service account and download a private key
What is a token? ● Called an "Access Token" - identifies 3 things to Google: 1. The application (called Client) making the request 2. The User (if applicable) authorizing the request 3. What class of actions the user has authorized the application to perform (called Scope)
Authorization is based on the user ● Ensure the email address associated with the user is added as a "Team" member on the project associated with the resource being accessed ● Correct scope associated with access token
Billing/quota based on client ● Validate against the project associated with client ID: ■ Service is enabled ■ Billing state is active (where applicable) ■ Quota limit (for API call) has not been exceeded ● Per project (e.g. courtesy limit) ● Per user - configurable by developers ● For APIs that include accessing resources belonging to a project (e.g. most Cloud Platform APIs), the above is also validated against the project owning that resource (if different)
Summary ● Applications have identity too! ● Access token must be presented ■ Recommend client libraries to acquire token ● Authorize user by adding to appropriate Team ● Now, go and use our APIs to change the world! ■ (or at least solve your problems!) ● Ask questions if you are stuck! ■ StackOverflow (google-oauth)
Thank You! Adam Eijdenberg - eijdenberg@google.com goo.gl/D6ZKz
Google Cloud Platform Resources cloud.google.com - get started today developers.google.com - docs and developer guidance cloud.google.com/newsletter - stay up to date googlecloudplatform.blogspot.com - our blog https://developers.google.com/api-client-library/ - client libraries https://developers.google.com/accounts/docs/OAuth2ServiceAccount - protocol details Get questions answered on StackOverflow (google-oauth)
Developers

Recomendados

Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityCloudLock
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
 
Google Cloud Platform: Prototype ->Production-> Planet scale
Google Cloud Platform: Prototype ->Production-> Planet scaleGoogle Cloud Platform: Prototype ->Production-> Planet scale
Google Cloud Platform: Prototype ->Production-> Planet scaleIdan Tohami
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesChris Schalk
 
Google Cloud Technologies Overview
Google Cloud Technologies OverviewGoogle Cloud Technologies Overview
Google Cloud Technologies OverviewChris Schalk
 
Google Cloud Platform Empowers TensorFlow and Machine Learning
Google Cloud Platform Empowers TensorFlow and Machine LearningGoogle Cloud Platform Empowers TensorFlow and Machine Learning
Google Cloud Platform Empowers TensorFlow and Machine LearningDataWorks Summit/Hadoop Summit
 
Google Cloud Platform
Google Cloud Platform Google Cloud Platform
Google Cloud Platform Francesco Marchitelli
 
Understanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud PlatformUnderstanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud PlatformDr. Ketan Parmar
 

Recomendados

Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityCloudLock
 
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockBe A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLock
Be A Hero: Combat Cloud Security Threats with Google Apps Unlimited & CloudLockCloudLock
 
Google Cloud Platform: Prototype ->Production-> Planet scale
Google Cloud Platform: Prototype ->Production-> Planet scaleGoogle Cloud Platform: Prototype ->Production-> Planet scale
Google Cloud Platform: Prototype ->Production-> Planet scaleIdan Tohami
 
Introduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesIntroduction to Google Cloud Platform Technologies
Introduction to Google Cloud Platform TechnologiesChris Schalk
 
Google Cloud Technologies Overview
Google Cloud Technologies OverviewGoogle Cloud Technologies Overview
Google Cloud Technologies OverviewChris Schalk
 
Google Cloud Platform Empowers TensorFlow and Machine Learning
Google Cloud Platform Empowers TensorFlow and Machine LearningGoogle Cloud Platform Empowers TensorFlow and Machine Learning
Google Cloud Platform Empowers TensorFlow and Machine LearningDataWorks Summit/Hadoop Summit
 
Google Cloud Platform
Google Cloud Platform Google Cloud Platform
Google Cloud Platform Francesco Marchitelli
 
Understanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud PlatformUnderstanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud PlatformDr. Ketan Parmar
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Más contenido relacionado

Más de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Más de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

CIS13: dentity in the Enterprise: Using OAuth in Google’s Cloud Platform and Identity and Security in Google Apps

  • 2. Google Cloud Platform: Applications have identity too! Adam Eijdenberg Product Manager eijdenberg@google.com goo.gl/D6ZKz
  • 3.
  • 4. What are we covering today? ● Authentication ○ From first principles, using Google Client Libraries ○ From anywhere, Google App Engine, Google Compute Engine ● Authorization
  • 5. Let's make an API call
  • 6.
  • 7. All I want to do is make an API call! ● What is the minimum I need to do to make a successful API call against a Google API? GET /bigquery/v2/projects/1234/datasets HTTP/1.1 Host: www.googleapis.com Authorization: Bearer yaXXXXXXXXXX ● You need a token - This presentation will show you how to get one - painlessly!
  • 8. What is a token? ● Called an "Access Token" - identifies 3 things to Google: 1. The application (called Client) making the request 2. The User (if applicable) authorizing the request 3. What class of actions the user has authorized the application to perform (called Scope)
  • 9. How do I get one? ● This depends on whose data is being accessed ● Data owned by a Google user ■ e.g. show consent screen for your application to access data on behalf of a user, e.g. Google Drive, Google Calendar ● Data owned by my application or provided by Google ■ e.g. Google Cloud Storage, Google BigQuery API, Google Compute Engine ● This presentation will focus on accessing data belonging to your application - typical pattern for Cloud Platform APIs
  • 11. Accessing data owned by my application ● Let's get started with BigQuery https://developers.google.com/console/
  • 12. Project ● Container for: ○ Resources ■ Google Cloud Storage buckets ■ Google Compute Engine virtual machines ■ BigQuery datasets ○ Registered applications and credentials ● Holds configuration for: ○ Authorization ○ Billing / quota management ○ Services enabled
  • 13. Enable the service ● Remember the access token identifies the application making the request? ● The API you are calling must be enabled within the project where the application is registered (next step)
  • 14. Create a service account ● A service account is a non-human user ● Allows your application to make API calls on behalf of itself ● Identity for your application - like a role account
  • 15. Branding Information screen ● The first time a Client is created you will be prompted for the following - this is not used for application authentication.
  • 18. Take note of the email address
  • 19. Let's get an access token
  • 21. Create an assertion import time now = long(time.time()) { "iss": "yyyyyyy@developer.gserviceaccount.com", "scope": "https://www.googleapis.com/auth/bigquery", "aud": "https://accounts.google.com/o/oauth2/token", "exp": now + (60 * 60), "iat": now }
  • 22. Create an assertion import time, json, base64 now = long(time.time()) assertion_input = "%s.%s" % ( base64.urlsafe_b64encode( json.dumps({"alg": "RS256", "typ": "JWT"}).encode("UTF-8") ).rstrip("="), base64.urlsafe_b64encode(json.dumps({ "iss": "yyyyyyy@developer.gserviceaccount.com", "scope": "https://www.googleapis.com/auth/bigquery", "aud": "https://accounts.google.com/o/oauth2/token", "exp": now + (60 * 60), "iat": now }).encode("UTF-8")).rstrip("="))
  • 23. Sign it - and swap it xxxxxxxx-privatekey.p12 notasecret
  • 24. Sign it - and swap it import urllib from OpenSSL import crypto urllib.urlencode({ "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "assertion": "%s.%s" % (assertion_input, base64.urlsafe_b64encode(crypto.sign(crypto.load_pkcs12( file("xxxxxxxx-privatekey.p12", "rb").read(), "notasecret").get_privatekey(), assertion_input, "sha256")).rstrip("=")) })
  • 25. Sign it - and swap it import urllib2, urllib from OpenSSL import crypto access_token = json.loads(urllib2.urlopen("https://accounts.google.com/o/oauth2/token", urllib.urlencode({ "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", "assertion": "%s.%s" % (assertion_input, base64.urlsafe_b64encode(crypto.sign(crypto.load_pkcs12( file("xxxxxxxx-privatekey.p12", "rb").read(), "notasecret").get_privatekey(), assertion_input, "sha256")).rstrip("=")) })).read())["access_token"]
  • 27. Try using it print urllib2.urlopen(urllib2.Request( "https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id", headers={'Authorization': 'Bearer %s' % access_token} )).read()
  • 28. Try using it print urllib2.urlopen(urllib2.Request( "https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id", headers={'Authorization': 'Bearer %s' % access_token} )).read() Result: { "kind": "bigquery#datasetList", "etag": "..." }
  • 29. Using Google Client libraries yyyyyyyyyyy@developer.gserviceaccount.com xxxxxxxxxxx-privatekey.p12 https://www.googleapis.com/auth/bigquery
  • 30. Using Google Client libraries import httplib2 from oauth2client.client import SignedJwtAssertionCredentials http = SignedJwtAssertionCredentials( "yyyyyyyyyyy@developer.gserviceaccount.com", file("xxxxxxxxxxx-privatekey.p12", "rb").read(), scope="https://www.googleapis.com/auth/bigquery" ).authorize(httplib2.Http())
  • 31. Use authorized HTTP object directly print http.request("https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id")[1]
  • 32. Use authorized HTTP object directly print http.request("https://www.googleapis.com/bigquery/v2/projects/%s/datasets" % "my-test-project-id")[1] Result: { "kind": "bigquery#datasetList", "etag": "..." }
  • 33. Or the full client library stack from apiclient.discovery import build service = build('bigquery', 'v2') print service.datasets().list(projectId="my-test-project-id").execute(http)
  • 34. Or the full client library stack from apiclient.discovery import build service = build('bigquery', 'v2') print service.datasets().list(projectId="my-test-project-id").execute(http) Result: { "kind": "bigquery#datasetList", "etag": "..." }
  • 36. Google hosted environments ● Built-in service account support provided for: ■ Google Compute Engine ■ Google App Engine ● You need to add the Google App Engine service account email address to the team for the project that contains the data you wish to access. ● For some APIs you will also need to pass an API key in the request
  • 37. Use built-in identity in Google App Engine # Built-in: https://www.googleapis.com/auth/bigquery
  • 38. Use built-in identity in Google App Engine # Built-in: from google.appengine.api import app_identity access_token, ttl = app_identity.get_access_token( "https://www.googleapis.com/auth/bigquery")
  • 39. Use built-in identity in Google App Engine # Built-in: from google.appengine.api import app_identity access_token, ttl = app_identity.get_access_token( "https://www.googleapis.com/auth/bigquery") # With client library: https://www.googleapis.com/auth/bigquery
  • 40. Use built-in identity in Google App Engine # Built-in: from google.appengine.api import app_identity access_token, ttl = app_identity.get_access_token( "https://www.googleapis.com/auth/bigquery") # With client library: from oauth2client.appengine import AppAssertionCredentials http = AppAssertionCredentials( "https://www.googleapis.com/auth/bigquery").authorize(httplib2.Http())
  • 41. Use built-in identity in Google Compute Engine # When starting your VM - authorize the VM to use the scope you need: gcutil --project=my-test-project-id addinstance foobar --service_account_scopes=https://www.googleapis.com/auth/bigquery
  • 42. Use built-in identity in Google Compute Engine # When starting your VM - authorize the VM to use the scope you need: gcutil --project=my-test-project-id addinstance foobar --service_account_scopes=https://www.googleapis.com/auth/bigquery # Inside the VM: curl "http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token"
  • 43. Use built-in identity in Google Compute Engine # When starting your VM - authorize the VM to use the scope you need: gcutil --project=my-test-project-id addinstance foobar --service_account_scopes=https://www.googleapis.com/auth/bigquery # Inside the VM: curl "http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/token" # Result: { "access_token" : "yaXXXXXXXXXXXXXXXXXXXXXXXX", "token_type" : "Bearer", "expires_in" : 3600 }
  • 44. Use client library on Google Compute Engine https://www.googleapis.com/auth/bigquery
  • 45. Use client library on Google Compute Engine from oauth2client.gce import AppAssertionCredentials http = AppAssertionCredentials( "https://www.googleapis.com/auth/bigquery").authorize(httplib2.Http())
  • 46. Authentication - summary ● Your applications need an identity (like a role account) when they access Google APIs ● When running in Google App Engine or Google Compute Engine use built-in credentials ● When running elsewhere (including local Google App Engine development) create a service account and download a private key
  • 47. What is a token? ● Called an "Access Token" - identifies 3 things to Google: 1. The application (called Client) making the request 2. The User (if applicable) authorizing the request 3. What class of actions the user has authorized the application to perform (called Scope)
  • 48. Authorization is based on the user ● Ensure the email address associated with the user is added as a "Team" member on the project associated with the resource being accessed ● Correct scope associated with access token
  • 49. Billing/quota based on client ● Validate against the project associated with client ID: ■ Service is enabled ■ Billing state is active (where applicable) ■ Quota limit (for API call) has not been exceeded ● Per project (e.g. courtesy limit) ● Per user - configurable by developers ● For APIs that include accessing resources belonging to a project (e.g. most Cloud Platform APIs), the above is also validated against the project owning that resource (if different)
  • 50. Summary ● Applications have identity too! ● Access token must be presented ■ Recommend client libraries to acquire token ● Authorize user by adding to appropriate Team ● Now, go and use our APIs to change the world! ■ (or at least solve your problems!) ● Ask questions if you are stuck! ■ StackOverflow (google-oauth)
  • 51. Thank You! Adam Eijdenberg - eijdenberg@google.com goo.gl/D6ZKz
  • 52. Google Cloud Platform Resources cloud.google.com - get started today developers.google.com - docs and developer guidance cloud.google.com/newsletter - stay up to date googlecloudplatform.blogspot.com - our blog https://developers.google.com/api-client-library/ - client libraries https://developers.google.com/accounts/docs/OAuth2ServiceAccount - protocol details Get questions answered on StackOverflow (google-oauth)