Search code examples
c#google-cloud-platformgoogle-compute-enginegoogle-api-dotnet-clientservice-accounts

Authentication for multiple projects in GCP using service accounts

I have 2 GCP projects for which I am trying to perform authentication using C#. Because the projects are belonging to different clients, I am given access to service account json file.

Is there a way to call the Compute engine API in both the projects authenticating using service account json file?

The example code from the Google Cloud client library uses

var credential = GoogleCredential.GetApplicationDefault();

Which loads the path to the Service account key file from GOOGLE_APPLICATION_CREDENTIALS env var. This var is singular. In order for this to work I would need to load two service account JSon key files not just one.

I am resisting mixing the json file as it will a bigger security hole.

Solution

  • To help those who do not understand your question (from comments) Here is a clear definition of your problem.

    You have two accounts that you wish to connect to. Each account comes with its own Json service account key file. To connect to each of these you will need to create a compute engine service object foreach authorized with the appropriate json key file.

    The google Cloud client library for .net uses the following line to load the key file. This line seams to be in all the samples they do not show any other options for loading the key file.

    var credential = GoogleCredential.GetApplicationDefault();

    This method reads from the GOOGLE_APPLICATION_CREDENTIALS environmental variable set up on the machine. This is only a path to the key file. So if you need two you cant use the env var you need to load them manually with your own env vars or just constants.

    Your idea place the json data for both accounts in the same key file wont work as the client library will not be able to parse that.

    The solution is to use FromFile and not use GetApplicationDefault which will allow you to supply the path to each of the key files.

    // Explicitly use service account credentials by specifying 
// the private key file.
var credentialAccountOne = GoogleCredential.FromFile(jsonPathAccountOne);
var credentialAccountTwo = GoogleCredential.FromFile(jsonPathAccountTwo);