@@ -62,66 +62,6 @@ store service account private keys locally.
6262.. _Google Cloud SDK : https://cloud.google.com/sdk
6363
6464
65- Service account private key files
66- +++++++++++++++++++++++++++++++++
67-
68- A service account private key file can be used to obtain credentials for a
69- service account. But it is **not recommended ** to download a service account key. If you do need
70- to use service accounts, you can do this instead:
71-
72- * **local development **: Use :ref: `Impersonated Credentials<impersonation> ` with source credential as User Account
73- * **google cloud production environment **: Use :ref: `Attached Service Account<MDS> `.
74- * **non-google cloud production environment **: Use :ref: `Workload Identity Federation<wlif> `.
75-
76- If none of the above alternatives work for you, wou can create a private key using the `Credentials page of the
77- Google Cloud Console `_. Once you have a private key you can either obtain
78- credentials one of three ways:
79-
80- 1. Set the ``GOOGLE_APPLICATION_CREDENTIALS `` environment variable to the full
81- path to your service account private key file
82-
83- .. code-block :: bash
84-
85- $ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
86-
87- :ref: `application default credentials <application-default >`.
88- :func: `default ` checks for the ``GOOGLE_APPLICATION_CREDENTIALS ``
89- environment variable before all other checks, so this will always use the
90- credentials you explicitly specify.
91-
92- 2. Use :meth: `service_account.Credentials.from_service_account_file
93- <google.oauth2.service_account.Credentials.from_service_account_file> `::
94-
95- from google.oauth2 import service_account
96-
97- credentials = service_account.Credentials.from_service_account_file(
98- '/path/to/key.json')
99-
100- scoped_credentials = credentials.with_scopes(
101- ['https://www.googleapis.com/auth/cloud-platform'])
102-
103- 3. Use :meth: `service_account.Credentials.from_service_account_info
104- <google.oauth2.service_account.Credentials.from_service_account_info> `::
105-
106- import json
107-
108- from google.oauth2 import service_account
109-
110- json_acct_info = json.loads(function_to_get_json_creds())
111- credentials = service_account.Credentials.from_service_account_info(
112- json_acct_info)
113-
114- scoped_credentials = credentials.with_scopes(
115- ['https://www.googleapis.com/auth/cloud-platform'])
116-
117- .. warning :: Private keys must be kept secret. If you expose your private key it
118- is recommended to revoke it immediately from the Google Cloud Console.
119-
120- .. _Credentials page of the Google Cloud Console :
121- https://console.cloud.google.com/apis/credentials
122-
123- .. _MDS :
124-
12565Compute Engine, Container Engine, and the App Engine flexible environment
12666+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
12767
@@ -240,7 +180,6 @@ You can also use :class:`google_auth_oauthlib.flow.Flow` to perform the OAuth
240180.. _requests-oauthlib :
241181 https://requests-oauthlib.readthedocs.io/en/latest/
242182
243- .. _wlif :
244183
245184External credentials (Workload identity federation)
246185+++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -987,7 +926,6 @@ configuration. It is not recommended to use a credential configuration that you
987926did not generate with the gcloud CLI unless you verify that the URL fields point
988927to a googleapis.com domain.
989928
990- .. _impersonation :
991929
992930Impersonated credentials
993931++++++++++++++++++++++++
@@ -1025,6 +963,58 @@ initializing the impersonated credential. Refer `create short lived credentials
1025963.. _create short lived credentials delegated : https://cloud.google.com/iam/docs/create-short-lived-credentials-delegated
1026964
1027965
966+ Service account private key files
967+ +++++++++++++++++++++++++++++++++
968+
969+ A service account private key file can be used to obtain credentials for a service account. If you are not
970+ able to use any of the authentication methods listed above, you can create a private key using `Credentials page of the
971+ Google Cloud Console `_. Once you have a private key you can obtain
972+ credentials one of three ways:
973+
974+ 1. Set the ``GOOGLE_APPLICATION_CREDENTIALS `` environment variable to the full
975+ path to your service account private key file
976+
977+ .. code-block :: bash
978+
979+ $ export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
980+
981+ :ref: `application default credentials <application-default >`.
982+ :func: `default ` checks for the ``GOOGLE_APPLICATION_CREDENTIALS ``
983+ environment variable before all other checks, so this will always use the
984+ credentials you explicitly specify.
985+
986+ 2. Use :meth: `service_account.Credentials.from_service_account_file
987+ <google.oauth2.service_account.Credentials.from_service_account_file> `::
988+
989+ from google.oauth2 import service_account
990+
991+ credentials = service_account.Credentials.from_service_account_file(
992+ '/path/to/key.json')
993+
994+ scoped_credentials = credentials.with_scopes(
995+ ['https://www.googleapis.com/auth/cloud-platform'])
996+
997+ 3. Use :meth: `service_account.Credentials.from_service_account_info
998+ <google.oauth2.service_account.Credentials.from_service_account_info> `::
999+
1000+ import json
1001+
1002+ from google.oauth2 import service_account
1003+
1004+ json_acct_info = json.loads(function_to_get_json_creds())
1005+ credentials = service_account.Credentials.from_service_account_info(
1006+ json_acct_info)
1007+
1008+ scoped_credentials = credentials.with_scopes(
1009+ ['https://www.googleapis.com/auth/cloud-platform'])
1010+
1011+ .. warning :: Private keys must be kept secret. If you expose your private key it
1012+ is recommended to revoke it immediately from the Google Cloud Console.
1013+
1014+ .. _Credentials page of the Google Cloud Console :
1015+ https://console.cloud.google.com/apis/credentials
1016+
1017+
10281018Downscoped credentials
10291019++++++++++++++++++++++
10301020
0 commit comments