I am trying to store a secret that I am calling with the following line of code:
const {token} = await context.github.auth({type: "installation"});
I cannot find the API to store the secret once I get it. Any idea on what probot APIs are there to store the secret?
Thanks!
I have tried looking everywhere and cannot find a handy probot API.
Related
I am working on an app which provides users with CRUD funtionlity over GCP catalog. I have managed to get the JWT token of the user fron the frontend, but I do not know how to pass this on to the 'DataCatalogClient'. The code looks like this:
const {DataCatalogClient} = require('#google-cloud/datacatlog).v1
const datacatalog = new DataCatalogClient()
The DataCatalogClient does accept some parameters, but I do not see anything related to a token over there. Any help is greatly appreciated!
I'm trying to connect to the Google Drive API with a NodeJS server using a service account. The goal is for the server to be able to authenticate as the service account, retrieve relevant files from a drive, and send them back to the user, without the user needing to log in to Google directly. This would allow me to control file access through my web app instead of having to manually share and unshare files through Drive. From my understanding of the Google Drive API, this should all be possible. The problem is that I can't even figure out how to authenticate my server. The server runs on an AWS EC2 instance. To clarify, I do not want the user to have to authenticate using the frontend interface.
I've followed the quickstart guide and set up a service account & key as instructed here, but upon creating the key as instructed in the second link, it doesn't look like I have the correct credentials.json file. The JSON file I get after generating a key on the Google Developer Console has the following object keys (values intentionally removed):
type, project_id, private_key_id, private_key, client_email, client_id, auth_uri, token_uri, auth_provider_x509_cert_url, client_x509_cert_url
The quickstart guide suggests that this file should contain client_secret and redirect_uris within some installed object (const {client_secret, client_id, redirect_uris} = credentials.installed;):
Attempting to run this index.js quickstart file causes an error to be thrown, since installed does not exist within credentials.json. Where can I generate the necessary credentials file? Or am I on the wrong track completely?
Posts like this reference a similar issue on an older version of the quickstart documentation, but the solutions here don't help since there isn't a client_secret key in my credentials file.
When I saw the showing keys of your credentials.json file, I understood that the file is the credential file of the service account. If my understanding is correct, when I saw your showing script, it seems that the script is for OAuth2. In this case, this script cannot be used for the service account. I thought that this is the reason for your current issue.
In order to use Drive API using the service account, how about the following sample script?
Sample script:
Before you use this script, please set credentialFilename of the service account. In this case, please include the path.
const { google } = require("googleapis");
const credentialFilename = "credentials.json";
const scopes = ["https://www.googleapis.com/auth/drive.metadata.readonly"];
const auth = new google.auth.GoogleAuth({keyFile: credentialFilename, scopes: scopes});
const drive = google.drive({ version: "v3", auth });
// This is a simple sample script for retrieving the file list.
drive.files.list(
{
pageSize: 10,
fields: "nextPageToken, files(id, name)",
},
(err, res) => {
if (err) return console.log("The API returned an error: " + err);
const files = res.data.files;
console.log(files);
}
);
When this script is run, as a sample script, the file list is retrieved from the Google Drive of the service account. So, please modify this for your actual situation.
This sample script uses https://www.googleapis.com/auth/drive.metadata.readonly as the scope. Please modify this for your actual situation.
Reference:
Google APIs Node.js Client
I have an HTTP-triggered function running on Google Cloud Functions, which uses require('googleapis').sheets('v4') to write data into a docs spreadsheet.
For local development I added an account via the Service Accounts section of their developer console. I downloaded the token file (dev-key.json below) and used it to authenticate my requests to the Sheets API as follows:
var API_ACCT = require("./dev-key.json");
let apiClient = new google.auth.JWT(
API_ACCT.client_email, null, API_ACCT.private_key,
['https://www.googleapis.com/auth/spreadsheets']
);
exports.myFunc = function (req, res) {
var newRows = extract_rows_from_my_client_app_request(req);
sheets.spreadsheets.values.append({
auth: apiClient,
// ...
resource: { values:newRows }
}, function (e) {
if (e) res.status(500).json({err:"Sheets API is unhappy"});
else res.status(201).json({ok:true})
});
};
After I shared my spreadsheet with my service account's "email address" e.g. local-devserver#foobar-bazbuzz-123456.iam.gserviceaccount.com — it worked!
However, as I go to deploy this to the Google Cloud Functions service, I'm wondering if there's a better way to handle credentials? Can my code authenticate itself automatically without needing to bundle a JWT key file with the deployment?
I noticed that there is a FUNCTION_IDENTITY=foobar-bazbuzz-123456#appspot.gserviceaccount.com environment variable set when my function runs, but I do not know how to use this in the auth value to my googleapis call. The code for google.auth.getApplicationDefault does not use that.
Is it considered okay practice to upload a private JWT token along with my GCF code? Or should I somehow be using the metadata server for that? Or is there a built-in way that Cloud Functions already can authenticate themselves to other Google APIs?
It's common to bundle credentials with a function deployment. Just don't check them into your source control. Cloud Functions for Firebase samples do this where needed. For example, creating a signed URL from Cloud Storage requires admin credentials, and this sample illustrates saving that credential to a file to be deployed with the functions.
I'm wondering if there's a better way to handle credentials? Can my
code authenticate itself automatically without needing to bundle a JWT
key file with the deployment?
Yes. You can use 'Application Default Credentials', instead of how you've done it, but you don't use the function getApplicationDefault() as it has been deprecated since this Q was posted.
The link above shows how to make a simple call using the google.auth.getClient API, providing the desired scope, and have it decide the credential type needed automatically. On cloud functions this will be a 'Compute' object, as defined in the google-auth-library.
These docs say it well here...
After you set up a service account, ADC can implicitly find your
credentials without any need to change your code, as described in the
section above.
Where ADC is Application Default Credentials.
Note that, for Cloud Functions, you use the App Engine service account:
YOUR_PROJECT_ID#appspot.gserviceaccount.com, as documented here. That is the one you found via the FUNCTION_IDENTITY env var - this rather tripped me up.
The final step is to make sure that the service account has the required access as you did with your spreadsheet.
Here is the code from https://www.npmjs.com/package/#google-cloud/speech
var speech = require('#google-cloud/speech');
var client = speech({
// optional auth parameters.
});
How do I pass my API key to authenticate while using #google-cloud/speech? I read the documentation and saw the examples but they don't talk about using API key. Is there any way to get authenticated using the API key?
You need service account key (it is JSON keyFile). Go to
Google speech api dashboard -> credentials -> create credentials
-> Service account key -> Compute engine default -> download json file.
Finally add it to config as keyFile, e.g.:
{
projectId: 'my-project',
keyFile: './myKeyFile.json'
};
Source:
https://bloggerbrothers.com/2017/01/15/the-complete-guide-to-enabling-speech-recognition-on-an-rpi3-in-nodejs/
I figured out that to use #google-cloud/speech module in your nodejs, you have to have a project created on Google Cloud Platform and need to be logged in to your google account and provide your projectid as a parameter to the speech constructor in order to successfully login.
const speechClient = Speech({
projectId: projectId
});
This will authenticate you to make calls to Google Speech API. There is no documentation I could find which enables authentication using the google API key.
As the title is saying, I'm currently trying to delete a object using request, and google_API.
But, Even though I did what Google Cloud Platform said,
It doesn't work.
Please, Help me. what should I do?
It doesn't appear you're providing any sort of authentication token. You are providing an API key, which is important when making anonymous requests, but an API key does not authenticate your identity or grant any permissions. I am guessing that you are getting 403 Forbidden responses.
Since you're using Node.JS, I might suggest trying the google-cloud library. It's easy to use, and it deals with OAuth 2 authorization logic for you. A delete might look like this:
var gcloud = require('google-cloud')({
projectId: 'grape-spaceship-123'
keyFilename: '/path/to/keyfile.json'
});
var gcs = gcloud.storage();
var myBucket = gcs.bucket('backups');
var myFile = myBucket.file('someFile.png');
myFile.delete(function(err, apiResponse) {});