OpenAPI Google Cloud | Service Accounts

In order to use the OpenAPI Google Cloud components and Authenticate using Service Accounts, first you must obtain the Private Key Certificate from Google Cloud.

 

Find below the steps to get Google Private Key Certificate and how configure in our sample application.

 

First login to your Google Cloud Account and use an existing project or create a new one.

 

 

Select CREATE SERVICE ACCOUNT and a new page will be shown where you must set the service account name and description

 

 

Then select at least one Role, I select PubSub Admin to allow the client publish and subscribe topics, but you can select other role with less privileges

 

 

Press CONTINUE and finally you can grant access to other users

 

 

Press DONE when you finish and a new record will be shown

 

 

The next step is create a new Key, so select the option Create Key in actions column. Select JSON to download the configuration in JSON format and a new Key will be created

 

 

Finally you only need to fill the data provided by google in the OpenAPI PubSub client. You can use LoadSettingsFromFile to load the configuration JSON file.

 

 

 

Domain-Wide Delegation

If you have a Google Workspace account, an administrator of the organization can authorize an application to access user data on behalf of users in the Google Workspace domain. For example, an application that uses the Google Calendar API to add events to the calendars of all users in a Google Workspace domain would use a service account to access the Google Calendar API on behalf of users. Authorizing a service account to access data on behalf of users in a domain is sometimes referred to as "delegating domain-wide authority" to a service account.

 

To delegate domain-wide authority to a service account, a super administrator of the Google Workspace domain must complete the following steps:

 

• From your Google Workspace domain's Admin console, go to Main menu menu > Security > Access and data control > API Controls.
• In the Domain wide delegation pane, select Manage Domain Wide Delegation.
• Click Add new.
• In the Client ID field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
• In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide full access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
• Click Authorize.

 

Once you've linked and authorized the workspace account, configure the property GoogleOptions.ServiceAccountOptions from the OpenAPI client:

 

• Subject: is the workspace email account linked to the service account. Example: youremail@domain.com
• Scopes: list of scopes. Example: https://www.googleapis.com/auth/calendar
• TokenURI: by default is https://oauth2.googleapis.com/token.