Search code examples
google-cloud-platformrequesttokengcloudgoogle-cloud-dlp

How to get a valid token to use GCP Data Loss Prevention API on a local machine were SDK is installed?

Right now I don't managed to have the Google Cloud Platform Data Loss Prevention (DLP) client library for python working behind a SSL proxy (it works fine with other GCP client lib for example for storage or bigquery): https://cloud.google.com/dlp/docs/libraries#client-libraries-usage-python

So I tried to use request.post to use the API behind a SSL proxy

url = 'https://dlp.googleapis.com/v2/projects/'+os.environ['PROJECT_ID']+'/content:inspect'

headers = {
    'Content-Type': 'application/json',
    'Authorization':  'Bearer {}'.format(subprocess.run('gcloud auth print-access-token', shell=True, check=True, stdout=subprocess.PIPE).stdout.decode().replace('\n', '').replace('\r', ''))
}

}
json_response = requests.post(url=url, json=parsed, headers=headers, proxies=proxies, verify=True)
json.loads(json_response.text)

This is working fine on CloudShell but not on my local machine where SDK is installed. The reason is that on CloudShell:

gcloud auth print-access-token

give me the same token for a period of few minutes while on my local machine (Windows or Mac), every time I execute the command, I got a new token. On my local machine if I replace in the header the gcloud command by the token from CloudShell it works fine. I have the latest version of SDK on both my local machine and on CloudShell.

question 1: it is expected that every time we run gcloud auth print-access-token locally (SDK), we get a new token ? (On CloudShell it is the same token for a period of few minutes)

question 2: what is the easiest/best way to generate a token ? since gcloud auth print-access-token doesn't seems the right way to do it when using local machine and SDK. This is not a productive application. This is just to test the DLP API.

Solution

  • question 1: it is expected that every time we run gcloud auth print-access-token locally (SDK), we get a new token ? (On CloudShell it is the same token for a period of few minutes)

    The answer depends on where you run your code. When running from a Google compute service (Cloud Shell is a VM), the token comes from the metadata server. I am now sure if or how long the token is cached. Tokens have an expiration (default 3600 seconds), so it is easy for the metadata server to cache tokens. If your code is running outside of the Google Cloud, the answer depends on the library used.

    question 2: what is the easiest/best way to generate a token ? since gcloud auth print-access-token doesn't seems the right way to do it when using local machine and SDK. This is not a productive application. This is just to test the DLP API.

    Obtaining tokens from the CLI is just for testing. The normal method is to use the SDK. However, since you are using the REST API, read this article that I wrote on how to create tokens in your own code and use them in REST APIs. My article includes Python source code and an example calling the Compute API to list instances in a project.

    Google Cloud – Creating OAuth Access Tokens for REST API Calls