Authenticating with a service account

Prerequisites

This page assumes that you have already:

• Created a Google Cloud project .

• Added API management .

Configuring authentication

To authenticate with a service account:

1. Import the App Engine Endpoints API in your API class:

     import 
     
    endpoints 
    
   

2. Add an issuer object for the service account to the API decorator . For example:

   @endpoints.api(
       name=' echo 
   ',
       version=' v1 
   ',
       issuers={'serviceAccount': endpoints.Issuer(
           ' YOUR_SERVICE_ACCOUNT_EMAIL 
   ',
           'https://www.googleapis.com/robot/v1/metadata/x509/ YOUR_SERVICE_ACCOUNT_EMAIL 
   ')},
       audiences={'serviceAccount': [' YOUR_AUDIENCE 
   ']})

   • Replace echo with the name of your API.
   • Replace v1 with your API version.
   • Replace YOUR_SERVICE_ACCOUNT_EMAIL with your service account email.
   • Replace YOUR_AUDIENCE with the value in the aud field sent by the calling service.

3. In each API method where you want to check for proper authentication, check for a valid User and raise error 401 if there isn't one, as shown in this sample method definition:

     user 
    = 
    endpoints 
    . 
    get_current_user 
    () 
    # If there's no user defined, the request was unauthenticated, so we 
    # raise 401 Unauthorized. 
    
   

4. Deploy the API . You need to redeploy the API whenever you add new clients.