Get project ID from JSON credentials file

[daspecster]

This is a possible resolution to #1792, making it easier to follow along with the documentation.

I looked for a way to clarify the documentation for this but it looks like this should make it work in the way that the documentation shows already.

[jgeewax]

Do we have tests that make sure the gcloud auth login case works as expected?

In other words, we need to follow the same policy of grabbing project IDs, trying the following in order to grab project ID from...

1. explicitly in code
2. the environment variable
3. gcloud's environment (gcloud config list project)
4. the service account credentials
   • hopefully this covers the GCE / GAE scenario

(I think that's the right order at least...)

[daspecster]

To get this to work with the happy path that @jgeewax mentioned(gcloud auth login), what would be the best way to programatically access gcloud config list project which I believe is reading the project key from ~/.config/gcloud/configurations/config_default?

[dhermes]

I'm not sure. @jgeewax do we have a gcloud CLI point person that can tell us? @daspecster we could assume that it is correct, or we could just use a system call to get the project?

As for putting it with auth, we can at least agree that this is configuration and not auth? So we should work to find a place. We usually discuss config in each usage doc, but you could start a new gcloud-config doc and then refer to it from all the usage docs.

[daspecster]

I can do the gcloud config list project system call for now and if there's a better way we can find it.

Ok cool, thanks @dhermes! I'll make a configuration doc.

[daspecster]

@dhermes @tseaver @jonparrott
Do we want to try and use something like this or drop it?
I'm not sure who to ask about properly accessing gcloud environment properties programmatically?

[dhermes]

Not sure either.

1. You should just use ${HOME}/.config/gcloud/configurations/config_default if it exists. You could use oauth2client.client._get_well_known_file. If the file isn't there or you can't parse it, don't fail for the user and just silently move on.
2. For a service account, the project ID is in the JSON key file, so you can just use the GOOGLE_APPLICATION_CREDENTIALS env. var. (this is what "Project was not passed" error, even though ran  #1792 is actually asking for)

$ cat keyfile.json
{
  "type": "service_account",
  "project_id": "PROJECT",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n",
  "client_email": "foo@PROJECT.iam.gserviceaccount.com",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/foo%40PROJECT.iam.gserviceaccount.com"
}

[daspecster]

@dhermes, so the only issue with grabbing it from GOOGLE_APPLICATION_CREDENTIALS, is that the GOOGLE_APPLICATION_CREDENTIALS environment variable isn't set when you just login with gcloud auth login.

Also, is that default file location the same for windows and linux both?

I saw oauth2client.client._get_well_known_file, but I also noticed this comment in that method.

TODO(orestica): Revisit this method once gcloud provides a better way

of pinpointing the exact location of the file.

So I wasn't sure what the story was there.

But I think using _get_well_known_file might be the best option if it works after gcloud auth login.

[dhermes]

@daspecster There should be a cascade of checks here just like there is for credentials. (i.e. so the absence of GOOGLE_APPLICATION_CREDENTIALS just means you move on to the next check)

[dhermes]

Also using _get_well_known_file (${HOME}/.config/gcloud/application_default_credentials.json) won't help get the file you want (${HOME}/.config/gcloud/configurations/config_default)

[daspecster]

Also, if I look back at #1792, the flow that happened there, GOOGLE_APPLICATION_CREDENTIALS wasn't set.

I can add that to the list of places to check but I think we're back to pulling it from the gcloud config?

[dhermes]

The current project-check cascade is:

1. DATASTORE_DATASET environment variable, set by gcd tool (only sometimes)
2. GCLOUD_PROJECT environment variable
3. App Engine App ID
4. GCE project ID

I'm suggesting you inject two more checks in there (not sure about the order yet):

• Check for a project ID in a JSON svc. acct. keyfile specified by GOOGLE_APPLICATION_CREDENTIALS
• Check in the ${HOME}/.config/gcloud/configurations/config_default file

---

For reference the cascade for credentials is:

1. GAE application ID service
2. filename via GOOGLE_APPLICATION_CREDENTIALS
3. the "well-known" file set by the gcloud CLI (${HOME}/.config/gcloud/application_default_credentials.json)
4. GCE instance creds

[daspecster]

Ok I will do that! Thanks again @dhermes!

[daspecster]

@dhermes @tseaver Can you guys let me know if this is good to go?

[daspecster]

@tseaver could you take a look at this real quick?
I think this is good to go but I we kind of left things hanging about raising an exception if the file is missing but I believe per @dhermes last comment that we're ok.

I'll merge if it looks good to you.

[tseaver]

Sorry, I was AFK waiting on a contractor. Looking this evening.

[tseaver]

LGTM whichever way you answer my question about passing the Windows config path in addition to the Unix-y one.

[daspecster]

@tseaver I added it!

    win32_config_path = os.path.join(os.getenv('APPDATA', ''),
                                     'gcloud\configurations\config_default')

I don't have a windows machine to test on though. Is there a way that we test gcloud-python on windows in general?

[tseaver]

@daspecster pylint doesn't like your backsplashes. I believe you could use forward-slashes there.

Is there a way that we test gcloud-python on windows in general?

We could look (again) into adding Appveyor CI.

[daspecster]

@tseaver I think I got it this time!

I just let python pick the slashes.

    win32_config_path = os.path.join(os.getenv('APPDATA', ''),
                                     'gcloud', 'configurations',
                                     'config_default')

[daspecster]

@tseaver if this looks good to you, I'll merge.
I appreciate you guys helping with this. I think it'll make the end user experience for beginners a lot easier, at least I really hope it does.

[tseaver]

LGTM

[dhermes]

@tseaver RE: AppVeyor, we've had a build running for 4+ months. I can add you guys as admins if needed.