I want to use "Http Request Headers" to connect to BigQuery without using Urlfetchapp.
I want to authenticate my service account with the BigQuery-specific library that AppsScript provides.
I want to rewrite this code to accept headers(without using Urlfetchapp)
BigQuery.Jobs.query({
query: " SOME QUERY; " ,
useLegacySql: false
}, projectID);
This page has the specs, but I couldn't figure it out.
https://developers.google.com/apps-script/guides/services/advanced#how_method_signatures_are_determined
Unfortunately, that's not possible. Both the built-in and advanced services in Google Apps Script leverage user-specific account credentials. There is no way to modify those services to use a service account.
To use service accounts, you'll need to generate those credentials yourself (JSON Web Token keys) and use them to create access tokens to authorize your queries against the BigQuery API (via UrlFetchApp.fetch()).
However, Eric Koleda's OAuth2 library does support the two-legged OAuth flow required by service accounts and therefore removes the tedium of implementing it for yourself.
Here's a link to the documentation on how to use set-up a two-legged OAuth flow for service accounts using that library:
Using Service Accounts
That should be enough to get you moving in the right direction.
URLfetchapp is used to issue HTTP and HTTPS request and response headers, so to connect BigQuery with GAS with request headers, URLFetchApp has to be used using URLFetchApp.fetch method as mentioned in the documentation.
Moreover for authenticating the service accounts, you can use OAuth2 for Apps Scripts which uses access tokens for authorization. You can check the setup process in this link. For using OAuth2 with a service account, you need to create a service account and also need to create a JWT(JSON Web Token). You can request an access token from Google which can be used to make API calls. For more information, you can check this documentation.
Related
I've created lots of Google App Script scripts for Classroom API and the Admin Groups and Drive APIs but I can't seem to get started with AdminReports.
I get the message:
"AdminReports is not defined"
and I can't see it listed in the services that one can add in the scripting environment.
Is it because it's an advanced service? Is there something else that I need to do to get it up and running?
Enable Advanced Google Services:
To use an advanced Google service, follow these instructions:
New Editor:
Configuration
Select Admin SDK API
Select reports_v1 as API Version
(Optional) Replace AdminDirectory with AdminReports
*From https://developers.google.com/admin-sdk/reports/reference/rest?hl=en
Service: admin.googleapis.com
To call this service, we recommend that you use the Google-provided client libraries. If your application needs to use your own libraries to call this service, use the following information when you make the API requests.
Discovery document
A Discovery Document is a machine-readable specification for describing and consuming REST APIs. It is used to build client libraries, IDE plugins, and other tools that interact with Google APIs. One service may provide multiple discovery documents. This service provides the following discovery document:
https://admin.googleapis.com/$discovery/rest?version=reports_v1
Service endpoint
A service endpoint is a base URL that specifies the network address of an API service. One service might have multiple service endpoints. This service has the following service endpoint and all URIs below are relative to this service endpoint:
https://admin.googleapis.com
REST Resource: activities
list: GET /admin/reports/v1/activity/users/{userKey}/applications/{applicationName}
Retrieves a list of activities for a specific customer's account and application such as the Admin console application or the Google Drive application.
watch:
POST /admin/reports/v1/activity/users/{userKey}/applications/{applicationName}/watch
Start receiving notifications for account activities.
REST Resource: customerUsageReports
get: GET /admin/reports/v1/usage/dates/{date}
Retrieves a report which is a collection of properties and statistics for a specific customer's account.
REST Resource: entityUsageReports
get: GET /admin/reports/v1/usage/{entityType}/{entityKey}/dates/{date}
Retrieves a report which is a collection of properties and statistics for entities used by users within the account.
REST Resource: userUsageReport
get: GET /admin/reports/v1/usage/users/{userKey}/dates/{date}
Retrieves a report which is a collection of properties and statistics for a set of users with the account.
I have a google cloud function in Java.
Client will invoke the function using HTTP trigger URL.
But that is not secure. I have gone through some docs saying that you should pass a token or client ID and then verify it in server side.
Can anyone explain that in detail and please provide a code example if any.
My doubt is to authenticate the client while they invoke the function using Http trigger
This page explains quite well all the capacity that you have to authenticate a requester on Cloud Functions.
If you have users, the best way is to use Firebase Auth (our Google Cloud Identity Platform which is simply a more advance solution than Firebase Auth with more features)
However, you need to grant all you user with cloudfunction.invoker role, to allow them to invoke the Cloud Functions. It could be difficult. You can also perform the check on your side, but in this case you remove the security (filter) layer of google and you have to check all the traffic by yourselves (not really safe, in term of billing and in case of attack).
The latest solution, API keys, is not recommended, especially for the users. But for machine to machine it's sometime the only solution. However, there isn't out of the box solution and for this I wrote an article, that explains how to create a Cloud Endpoint (or now a Cloud API Gateway which is the serverless solution of Cloud Endpoint with ESPv2) to accept API Keys.
With this latest solution, if you change your security definition, you can also accept OAuth2 tokens coming from Firebase Auth (or Cloud Identity Platform), but this time, you don't need to grant all the users on your Cloud Functions IAM role. The token only need to be valid and it's the Cloud Endpoint service account which is used to perform the call (and thus which needs to be authorized on the Cloud Functions).
In addition, because you can accept OAuth2 token, you can also accept non Google token, and thus have your users in any IDP OAuth2 compliant (KeyCloak, Okta,...)
You could use external OAuth server like keycloack (https://github.com/keycloak/keycloak), or use somethging like Json Web Tokens -- https://jwt.io/ -- available for various languages, siutable for microservices.
I am new to google cloud functions and try to restrict access to my function by only requests from dialogflow webhooks. I see two options in gcloud console: allow unauthenticated requests and restrict by user accounts. I don't understand how to implement that authentication. Dialogflow webhooks has options to set http headers that sets in webhook requests. But gcloud console hasn't interface/options to obtain any data that I can write as http authentication header. So I see only option implement authetication flow in cloud function, but in that way why google added option to restrict access by http authentication. Can anyone give me an example step-by-step example how to obtain http headers names and data needed to implement http authentication on cloud functions from dialogflow webhooks?
There isn't built in authentication, you have to perform it by yourselves. You have some guidance here in the Google Cloud Documentation
In summary, set your function public (allow unauthenticated) and perform the check in your code.
I'm the administrator of a Bim360 Docs Hub,and i'm trying to retrieve some data from the forge API. I've already created a test app, and i get a Bim 360 Account Id.
I'm not able to get an authentication bearear token (OAuth), to make simple get requests towards projects.
Where do i get the auth token ?
Thanks
See tutorial here to aquire OAuth tokens and note that you will need different permutations of OAuth scopes (esp. data:read data:write etc.) for different operations, as is specified in the docs of each and every API, see an example here.
You may use a RESTful client like Postman to talk to our APIs and manage the authentication flow and operate on response data with JavaScript as you like so as to build workflows such as to create a new project.
Last but not least before you can access BIM360 APIs make sure you provision access to your app.
I am building an application that consists of two strongly separated parts:
Backend server is running on AppEngine that access gsuite domain data using Google service account.
Spreadsheet plugin written with Apps Script, that is directly installed by the users.
Spreadsheet plugin should access backend server REST endpoint.
I want to implement authorization for the "Apps Script" -> "Backend Server" connection. The only information I found on this Make requests to services with OAuth
I don't want to implement my own user management and want to use the Google Accounts for authorization. As far as I understand the single way to do this is implement OAuth on the server side and then follow o.
I wonder if there a better approach or best practices to implement this?
Unfortunately, there isn't another mode of "authorisation" besides the one you've already mentioned/explored i.e OAuth.
What I would recommend as an alternate is to use JSON Web Tokens (JWTs).
Twilio's Authy uses it to create user registrations without any PIIs and JWTs in Google Apps Script should help you with that.
Hope this helps.