Google-cloud-python: PubSub: (Python) How to use JSON string as the credential for Client initialization instead of the filepath
Is it possible to use just the JSON authentication credentials instead of a declaring the path to the file the contains the JSON, like so with the Python SDK library:
import os
from google.cloud import pubsub
json_string = os.environ['PUBSUB_JSON']
creds = json.loads(json_string)
client = pubsub.PublisherClient(credentials=creds)
I can do this technique in Node, but I am having trouble figuring out how to do the JSON only initialization in Python.
Thanks in advance.
reselbob
All 11 comments
@reselbob Thanks for asking, here is how you'd accomplish that:
import json
from google.oauth2 import service_account
info = json.loads(json_string)
credentials = service_account.Credentials.from_service_account_info(info)
Though rather than setting the PUBSUB_JSON environment variable, you could just set theGOOGLE_APPLICATION_CREDENTIALS environment variable and then
import google.auth
credentials, project = google.auth.default()
will do exactly what you want.
In general, future questions like this may be better asked on https://github.com/GoogleCloudPlatform/google-auth-library-python/.
dhermes
on 29 Nov 2017
I have closed the issue since (AFAICT) I have answered your question. If this is not the case, I'm happy to continue discussing and / or re-open.
dhermes
on 29 Nov 2017
Help?
Set GOOGLE_APPLICATION_CREDENTIALS to what, the JSON?
reselbob
on 29 Nov 2017
See: https://googlecloudplatform.github.io/google-cloud-python/latest/core/auth.html
I now realize you had set PUBSUB_JSON to the string itself rather than to a file containing the string.
dhermes
on 29 Nov 2017
Right, I just want to use the JSON string, not the file path. I looked at the link you provided. Seeing a lot of language about using the file path. Can't seem to locate an example about how to use the JSON string. But, might be missing something. As I mentioned, I can do it in NodeJS. Thanks for your continuing attention.
reselbob
on 29 Nov 2017
My first example (with from_service_account_info()) should work just fine if you already have the key file loaded as a JSON string.
dhermes
on 29 Nov 2017
I am having a problem when using the JSON string.
json_string = os.environ['PUBSUB_JSON']
info = json.loads(json_string)
creds = service_account.Credentials.from_service_account_info(info)
client = pubsub.PublisherClient(credentials=creds)
topic_path = client.topic_path(os.getenv('GOOGLE_CLOUD_PROJECT'), 'cron_job_topic')
data = data.encode('utf-8')
future = client.publish(topic_path, data=data)
gives me an error:
google.auth.exceptions.RefreshError: ('invalid_scope: Empty or missing scope not allowed.', '{\n "error" : "invalid_scope",\n "error_description" : "Empty or missing scope not allowed."\n}')
The JSON in question works fine when declared using a file path.
reselbob
on 29 Nov 2017
See my answer in https://github.com/GoogleCloudPlatform/google-auth-library-python/issues/225. Also note that you may have discovered a "bug" in Pub / Sub (#4479).
dhermes
on 29 Nov 2017
Is using env variables safer/more secure than using the json file?
What difference does it really make?
itsPav
on 5 Jun 2019
What difference does it really make?
When using environment variables, you never have to worry about credentials mistakenly being leaked via VCS.
ethagnawl
on 24 Oct 2019
@dhermes Thank you so much.
aaronamm
on 24 Dec 2019
Related issues
vrcs
路
3Comments
bmenasha
路
3Comments
VikramTiwari
路
3Comments
VikramTiwari
路
4Comments
pongad
路
4Comments
Most helpful comment
@reselbob Thanks for asking, here is how you'd accomplish that:
Though rather than setting the
PUBSUB_JSONenvironment variable, you could just set theGOOGLE_APPLICATION_CREDENTIALSenvironment variable and thenwill do exactly what you want.
In general, future questions like this may be better asked on https://github.com/GoogleCloudPlatform/google-auth-library-python/.