Authenticating with a service account

Prerequisites

This page assumes that you have already:

• Created a Google Cloud project.

• Added API management.

Configuring authentication

To authenticate with a service account:

1. Import the App Engine Endpoints API in your API class:

   import endpoints 

2. Add an issuer object for the service account to the API decorator. For example:

    @endpoints.api( name='echo', version='v1', issuers={'serviceAccount': endpoints.Issuer( 'YOUR_SERVICE_ACCOUNT_EMAIL', 'https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL')}, audiences={'serviceAccount': ['YOUR_AUDIENCE']}) 

   • Replace echo with the name of your API.
   • Replace v1 with your API version.
   • Replace YOUR_SERVICE_ACCOUNT_EMAIL with your service account email.
   • Replace YOUR_AUDIENCE with the value in the aud field sent by the calling service.

3. In each API method where you want to check for proper authentication, check for a valid User and raise error 401if there isn't one, as shown in this sample method definition:

   user = endpoints.get_current_user() # If there's no user defined, the request was unauthenticated, so we # raise 401 Unauthorized. 

4. Deploy the API. You need to redeploy the API whenever you add new clients.