Search code examples
pythongoogle-cloud-platformgoogle-cloud-nl

Authenticating google cloud behind corporate firewall


I am trying to use Google cloud's natural language API at work, and I believe my corporate firewall is blocking communication between python and google cloud.

After entering the following in the terminal:

gcloud auth application-default login

My browser opens up to log into my google account successfully. After I log in, however, I get

ERROR: There was a problem with web authentication. Try running a
gain with --no-launch-browser.

ERROR: (gcloud.auth.application-default.login) Could not reach th
e login server. A potential cause of this could be because you ar
e behind a proxy. Please set the environment variables HTTPS_PROX
Y and HTTP_PROXY to the address of the proxy in the format "proto
col://address:port" (without quotes) and try again.
Example: HTTPS_PROXY=https://192.168.0.1:8080

I believe I need to contact my IT department to add an exception to our firewall. Does anyone know what the address / port for google cloud's natural language processing API is?


Solution

  • I can't directly answer your question but I can provide some general guidance that might workaround your issue.

    The command

    gcloud auth application-default login
    

    Is a convenience helper for running sample code locally but it's really not the best auth strategy for a variety of reasons. It uses a special client ID that won't always have all your quota.

    The way I would recommend using the API is Service Accounts. You can create a Service Account in the Cloud Console under API credentials, and then download a JSON key. Then you set the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to your file, and it will automatically work assuming you are using Application Default Credentials (which most samples and client libraries use).

    On App Engine, and Compute Engine (assuming you created the VM with the correct scopes) Service Accounts exist by default so you don't even need to download the JSON and set the environment variable.

    The other way you can use the API is just creating an API Key, then hit the HTTP endpoints with ?key=api-key at the end of the URL. API Keys are also less than ideal (no idea who client is, no scopes), but are a simple option.

    In your case, I'd recommend using JSON service account keys and the environment variable, but it's worth reading the official authentication guide.