Use the service account P12 key on the GAE SDK dev_appserver

For example, when building an API layer by Cloud Endpoints before BigQuery, you want to connect to BigQuery from dev_appserver of GAE SDK.

When you create a service account in the Developers Console, the P12 key will be downloaded. The P12 key is a PKCS12 format private key.

The PyCrypto used by ʻoauth2client` does not support the PKCS12 format. If you try to use it as it is

NotImplementedError: PKCS12 format is not supported by the PyCrypto library. Try converting to a "PEM" (openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) or using PyOpenSSL if native code is an option.

NotImplementedError will occur, so you can convert the private key according to the message.

$ openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem
Enter Import Password:

The password for the private key of the service account is notasecret.

Sample code

# -*- coding: utf-8 -*-

import os

from google.appengine.api import memcache
import apiclient
import httplib2
import oauth2client

# OAuth2.List 0 SCOPEs.
#Example) https://cloud.google.com/bigquery/authentication#oauthbasics
BigQuery_SCOPE = ('https://www.googleapis.com/auth/bigquery',)

def get_bigquery_client():
  # dev_Determine if it is running on the appserver. Environment variable`SERVER_SOFTWARE`But`Dev`start from.
  if os.environ.get('SERVER_SOFTWARE', 'Dev').startswith('Dev'):
    #Open the PEM file read-only.
    with open('privatekey.pem', 'rb') as f:
      # Credentials object used for OAuth 2.0 Signed JWT assertion grants.
      # http://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client.client.SignedJwtAssertionCredentials-class.html
      credentials = oauth2client.client.SignedJwtAssertionCredentials(
        service_account_name = '[email protected]',
        private_key = f.read(),
        scope = BigQuery_SCOPE,
      )
  else:
    # Credentials object for App Engine Assertion Grants
    # http://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client.appengine.AppAssertionCredentials-class.html
    credentials = oauth2client.appengine.AppAssertionCredentials(scope=BigQuery_SCOPE)
  #HTTP client with memcache set for cache usage.
  http = credentials.authorize(httplib2.Http(memcache))
  #Specify Google Cloud Endpoints and return the API client.
  return apiclient.discovery.build('bigquery', 'v2', http=http)

Common errors

IOError: [Errno 13] file not accessible: 'privatekey.pem'

Since you can only access the files under the GAE project, move the private key to the directory under the GAE project.

ValueError: RSA key format is not supported

Convert to PEM format instead of RSA format.

ValueError: PEM encryption format not supported.

The PEM phrase must be removed.

AccessTokenRefreshError: invalid_grant

The email address of the service account is specified in service_account_name. Not a client ID.

Recommended Posts

Use the service account P12 key on the GAE SDK dev_appserver
[Hyperledger Iroha] Notes on how to use the Python SDK
Set up a Google Cloud service account key on heroku
Commands often used on GAE / P
Sakura Use Python on the Internet
Use The Metabolic Disassembler on Google Colaboratory
Use the Grove sensor on the Raspberry Pi
[2015/11/19] How to register a service locally using the python SDK on naoqi os