驗證用戶端程式庫

本頁說明如何使用用戶端程式庫存取 Google API。

使用支援的語言,透過用戶端程式庫更輕鬆地存取 Google Cloud API。您可以直接向伺服器發出原始要求來使用 API,但用戶端程式庫提供的簡化功能可大幅減少您需要編寫的程式碼量。 Google Cloud 驗證作業尤其如此,因為用戶端程式庫支援應用程式預設憑證 (ADC)

如果您接受來自外部來源 (例如客戶) 的憑證設定 (JSON、檔案或串流),請參閱使用外部來源憑證設定時的安全規定

搭配用戶端程式庫使用應用程式預設憑證

如要使用應用程式預設憑證驗證應用程式,您必須先為應用程式執行的環境設定 ADC。使用用戶端程式庫建立用戶端時,用戶端程式庫會自動檢查您提供給 ADC 的憑證,並使用這些憑證向程式碼使用的 API 進行驗證。您的應用程式不需要明確驗證或管理權杖,驗證程式庫會自動管理這些需求。

在本地開發環境中,您可以使用 gcloud CLI 透過使用者憑證透過服務帳戶模擬設定 ADC。如果是實際工作環境,請附加服務帳戶來設定 ADC。

建立用戶端範例

下列程式碼範例會建立 Cloud Storage 服務的用戶端。 您的程式碼可能需要不同的用戶端;這些範例僅用於說明如何建立及使用用戶端,不必使用任何程式碼明確驗證。

您必須先完成下列步驟,才能執行下列範例:

Go

import (
	"context"
	"fmt"
	"io"

	"cloud.google.com/go/storage"
	"google.golang.org/api/iterator"
)

// authenticateImplicitWithAdc uses Application Default Credentials
// to automatically find credentials and authenticate.
func authenticateImplicitWithAdc(w io.Writer, projectId string) error {
	// projectId := "your_project_id"

	ctx := context.Background()

	// NOTE: Replace the client created below with the client required for your application.
	// Note that the credentials are not specified when constructing the client.
	// The client library finds your credentials using ADC.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("NewClient: %w", err)
	}
	defer client.Close()

	it := client.Buckets(ctx, projectId)
	for {
		bucketAttrs, err := it.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return err
		}
		fmt.Fprintf(w, "Bucket: %v\n", bucketAttrs.Name)
	}

	fmt.Fprintf(w, "Listed all storage buckets.\n")

	return nil
}

Java


import com.google.api.gax.paging.Page;
import com.google.cloud.storage.Bucket;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
import java.io.IOException;

public class AuthenticateImplicitWithAdc {

  public static void main(String[] args) throws IOException {
    // TODO(Developer):
    //  1. Before running this sample,
    //  set up Application Default Credentials as described in
    //  https://cloud.google.com/docs/authentication/external/set-up-adc
    //  2. Replace the project variable below.
    //  3. Make sure you have the necessary permission to list storage buckets
    //  "storage.buckets.list"
    String projectId = "your-google-cloud-project-id";
    authenticateImplicitWithAdc(projectId);
  }

  // When interacting with Google Cloud Client libraries, the library can auto-detect the
  // credentials to use.
  public static void authenticateImplicitWithAdc(String project) throws IOException {

    // *NOTE*: Replace the client created below with the client required for your application.
    // Note that the credentials are not specified when constructing the client.
    // Hence, the client library will look for credentials using ADC.
    //
    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests.
    Storage storage = StorageOptions.newBuilder().setProjectId(project).build().getService();

    System.out.println("Buckets:");
    Page<Bucket> buckets = storage.list();
    for (Bucket bucket : buckets.iterateAll()) {
      System.out.println(bucket.toString());
    }
    System.out.println("Listed all storage buckets.");
  }
}

Node.js

/**
 * TODO(developer):
 *  1. Uncomment and replace these variables before running the sample.
 *  2. Set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
 *  3. Make sure you have the necessary permission to list storage buckets "storage.buckets.list"
 *    (https://cloud.google.com/storage/docs/access-control/iam-permissions#bucket_permissions)
 */
// const projectId = 'YOUR_PROJECT_ID';

const {Storage} = require('@google-cloud/storage');

async function authenticateImplicitWithAdc() {
  // This snippet demonstrates how to list buckets.
  // NOTE: Replace the client created below with the client required for your application.
  // Note that the credentials are not specified when constructing the client.
  // The client library finds your credentials using ADC.
  const storage = new Storage({
    projectId,
  });
  const [buckets] = await storage.getBuckets();
  console.log('Buckets:');

  for (const bucket of buckets) {
    console.log(`- ${bucket.name}`);
  }

  console.log('Listed all storage buckets.');
}

authenticateImplicitWithAdc();

PHP

// Imports the Cloud Storage client library.
use Google\Cloud\Storage\StorageClient;

/**
 * Authenticate to a cloud client library using a service account implicitly.
 *
 * @param string $projectId The Google project ID.
 */
function auth_cloud_implicit($projectId)
{
    $config = [
        'projectId' => $projectId,
    ];

    # If you don't specify credentials when constructing the client, the
    # client library will look for credentials in the environment.
    $storage = new StorageClient($config);

    # Make an authenticated API request (listing storage buckets)
    foreach ($storage->buckets() as $bucket) {
        printf('Bucket: %s' . PHP_EOL, $bucket->name());
    }
}

Python


from google.cloud import storage


def authenticate_implicit_with_adc(project_id="your-google-cloud-project-id"):
    """
    When interacting with Google Cloud Client libraries, the library can auto-detect the
    credentials to use.

    // TODO(Developer):
    //  1. Before running this sample,
    //  set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
    //  2. Replace the project variable.
    //  3. Make sure that the user account or service account that you are using
    //  has the required permissions. For this sample, you must have "storage.buckets.list".
    Args:
        project_id: The project id of your Google Cloud project.
    """

    # This snippet demonstrates how to list buckets.
    # *NOTE*: Replace the client created below with the client required for your application.
    # Note that the credentials are not specified when constructing the client.
    # Hence, the client library will look for credentials using ADC.
    storage_client = storage.Client(project=project_id)
    buckets = storage_client.list_buckets()
    print("Buckets:")
    for bucket in buckets:
        print(bucket.name)
    print("Listed all storage buckets.")

Ruby

def authenticate_implicit_with_adc project_id:
  # The ID of your Google Cloud project
  # project_id = "your-google-cloud-project-id"

  ###
  # When interacting with Google Cloud Client libraries, the library can auto-detect the
  # credentials to use.
  # TODO(Developer):
  #   1. Before running this sample,
  #      set up ADC as described in https://cloud.google.com/docs/authentication/external/set-up-adc
  #   2. Replace the project variable.
  #   3. Make sure that the user account or service account that you are using
  #      has the required permissions. For this sample, you must have "storage.buckets.list".
  ###

  require "google/cloud/storage"

  # This sample demonstrates how to list buckets.
  # *NOTE*: Replace the client created below with the client required for your application.
  # Note that the credentials are not specified when constructing the client.
  # Hence, the client library will look for credentials using ADC.
  storage = Google::Cloud::Storage.new project_id: project_id
  buckets = storage.buckets
  puts "Buckets: "
  buckets.each do |bucket|
    puts bucket.name
  end
  puts "Plaintext: Listed all storage buckets."
end

搭配用戶端程式庫使用 API 金鑰

您只能搭配接受 API 金鑰的 API 用戶端程式庫使用 API 金鑰。此外,API 金鑰不得設有 API 限制,導致無法用於 API。

如要進一步瞭解在快捷模式中建立的 API 金鑰,請參閱 Google Cloud 快捷模式常見問題

本範例使用接受 API 金鑰的 Cloud Natural Language API,示範如何向程式庫提供 API 金鑰。

C#

如要執行這個範例,您必須安裝 Natural Language 用戶端程式庫


using Google.Cloud.Language.V1;
using System;

public class UseApiKeySample
{
    public void AnalyzeSentiment(string apiKey)
    {
        LanguageServiceClient client = new LanguageServiceClientBuilder
        {
            ApiKey = apiKey
        }.Build();

        string text = "Hello, world!";

        AnalyzeSentimentResponse response = client.AnalyzeSentiment(Document.FromPlainText(text));
        Console.WriteLine($"Text: {text}");
        Sentiment sentiment = response.DocumentSentiment;
        Console.WriteLine($"Sentiment: {sentiment.Score}, {sentiment.Magnitude}");
        Console.WriteLine("Successfully authenticated using the API key");
    }
}

C++

如要執行這個範例,您必須安裝 Natural Language 用戶端程式庫

#include "google/cloud/language/v1/language_client.h"
#include "google/cloud/credentials.h"
#include "google/cloud/options.h"

void AuthenticateWithApiKey(std::vector<std::string> const& argv) {
  if (argv.size() != 2) {
    throw google::cloud::testing_util::Usage{
        "authenticate-with-api-key <project-id> <api-key>"};
  }
  namespace gc = ::google::cloud;
  auto options = gc::Options{}.set<gc::UnifiedCredentialsOption>(
      gc::MakeApiKeyCredentials(argv[1]));
  auto client = gc::language_v1::LanguageServiceClient(
      gc::language_v1::MakeLanguageServiceConnection(options));

  auto constexpr kText = "Hello, world!";

  google::cloud::language::v1::Document d;
  d.set_content(kText);
  d.set_type(google::cloud::language::v1::Document::PLAIN_TEXT);

  auto response = client.AnalyzeSentiment(d, {});
  if (!response) throw std::move(response.status());
  auto const& sentiment = response->document_sentiment();
  std::cout << "Text: " << kText << "\n";
  std::cout << "Sentiment: " << sentiment.score() << ", "
            << sentiment.magnitude() << "\n";
  std::cout << "Successfully authenticated using the API key\n";
}

Go

如要執行這個範例,您必須安裝 Natural Language 用戶端程式庫

import (
	"context"
	"fmt"
	"io"

	language "cloud.google.com/go/language/apiv1"
	"cloud.google.com/go/language/apiv1/languagepb"
	"google.golang.org/api/option"
)

// authenticateWithAPIKey authenticates with an API key for Google Language
// service.
func authenticateWithAPIKey(w io.Writer, apiKey string) error {
	// apiKey := "api-key-string"

	ctx := context.Background()

	// Initialize the Language Service client and set the API key.
	client, err := language.NewClient(ctx, option.WithAPIKey(apiKey))
	if err != nil {
		return fmt.Errorf("NewClient: %w", err)
	}
	defer client.Close()

	text := "Hello, world!"
	// Make a request to analyze the sentiment of the text.
	res, err := client.AnalyzeSentiment(ctx, &languagepb.AnalyzeSentimentRequest{
		Document: &languagepb.Document{
			Source: &languagepb.Document_Content{
				Content: text,
			},
			Type: languagepb.Document_PLAIN_TEXT,
		},
	})
	if err != nil {
		return fmt.Errorf("AnalyzeSentiment: %w", err)
	}

	fmt.Fprintf(w, "Text: %s\n", text)
	fmt.Fprintf(w, "Sentiment score: %v\n", res.DocumentSentiment.Score)
	fmt.Fprintln(w, "Successfully authenticated using the API key.")

	return nil
}

Node.js

如要執行這個範例,您必須安裝 Natural Language 用戶端程式庫


const {
  v1: {LanguageServiceClient},
} = require('@google-cloud/language');

/**
 * Authenticates with an API key for Google Language service.
 *
 * @param {string} apiKey An API Key to use
 */
async function authenticateWithAPIKey(apiKey) {
  const language = new LanguageServiceClient({apiKey});

  // Alternatively:
  // const {GoogleAuth} = require('google-auth-library');
  // const auth = new GoogleAuth({apiKey});
  // const language = new LanguageServiceClient({auth});

  const text = 'Hello, world!';

  const [response] = await language.analyzeSentiment({
    document: {
      content: text,
      type: 'PLAIN_TEXT',
    },
  });

  console.log(`Text: ${text}`);
  console.log(
    `Sentiment: ${response.documentSentiment.score}, ${response.documentSentiment.magnitude}`,
  );
  console.log('Successfully authenticated using the API key');
}

authenticateWithAPIKey();

Python

如要執行這個範例,您必須安裝 Natural Language 用戶端程式庫


from google.cloud import language_v1


def authenticate_with_api_key(api_key_string: str) -> None:
    """
    Authenticates with an API key for Google Language service.

    TODO(Developer): Replace this variable before running the sample.

    Args:
        api_key_string: The API key to authenticate to the service.
    """

    # Initialize the Language Service client and set the API key
    client = language_v1.LanguageServiceClient(
        client_options={"api_key": api_key_string}
    )

    text = "Hello, world!"
    document = language_v1.Document(
        content=text, type_=language_v1.Document.Type.PLAIN_TEXT
    )

    # Make a request to analyze the sentiment of the text.
    sentiment = client.analyze_sentiment(
        request={"document": document}
    ).document_sentiment

    print(f"Text: {text}")
    print(f"Sentiment: {sentiment.score}, {sentiment.magnitude}")
    print("Successfully authenticated using the API key")

在應用程式中使用 API 金鑰時,請確保儲存和傳輸期間的金鑰安全無虞。公開 API 金鑰可能會導致帳戶產生非預期費用。詳情請參閱「管理 API 金鑰的最佳做法」。

使用外部來源的憑證設定時的安全需求

一般來說,您可以使用 gcloud CLI 指令或 Google Cloud 控制台產生憑證設定。舉例來說,您可以使用 gcloud CLI 產生本機 ADC 檔案或登入設定檔。同樣地,您可以使用 Google Cloud 控制台建立及下載服務帳戶金鑰。

不過,在某些情況下,憑證設定是由外部實體提供,這些憑證設定用於向 Google API 進行驗證。

部分類型的憑證設定包含端點和檔案路徑,驗證程式庫會使用這些資訊取得權杖。接受外部來源的憑證設定時,您必須先驗證設定,才能使用。如果未驗證設定,惡意行為人可能會使用憑證入侵您的系統和資料。

驗證外部來源的憑證設定

驗證外部憑證的方式取決於應用程式接受的憑證類型。

驗證服務帳戶金鑰

如果應用程式接受服務帳戶金鑰,請使用服務帳戶金鑰專用的憑證載入器,如下列範例所示。特定類型的憑證載入器只會剖析服務帳戶金鑰的欄位,不會暴露任何安全漏洞。

C#

var saCredential = ServiceAccountCredential.FromServiceAccountData(stream);

C++ 

auto cred = google::cloud::MakeServiceAccountCredentials(json)

Java

ServiceAccountCredentials credentials =
      ServiceAccountCredentials.fromStream(credentialsStream);

Node.js

const keys = JSON.parse(json_input)
const authClient = JWT.fromJSON(keys);

PHP

cred = new Google\Auth\Credentials\ServiceAccountCredentials($scope, $jsonKey);

Python

cred = service_account.Credentials.from_service_account_info(json_data)

Ruby

creds = Google::Auth::ServiceAccountCredentials.make_creds(json_key_io: json_stream)

如果無法使用特定類型的憑證載入器,請確認 type 欄位的值為 service_account,藉此驗證憑證。如果 type 欄位的值為其他值,請勿使用服務帳戶金鑰。

驗證其他憑證設定

如果應用程式接受服務帳戶金鑰以外的任何類型憑證,則必須進行額外驗證。其他類型的憑證設定範例包括 ADC 憑證檔案Workload Identity 聯盟憑證檔案,或 Workforce Identity 聯盟登入設定檔

下表列出憑證中可能出現的欄位,您需要驗證這些欄位。並非所有憑證設定都會顯示這些欄位。

欄位 目的 預期值
service_account_impersonation_url 驗證程式庫會使用這個欄位存取端點,為要模擬的服務帳戶產生存取權杖。 https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/service account email:generateAccessToken
token_url 驗證程式庫會將外部權杖傳送至這個端點,以交換同盟存取權杖 https://sts.googleapis.com/v1/token
credential_source.file 驗證程式庫會從這個欄位指定位置的檔案讀取外部權杖,並傳送至 token_url 端點。 含有外部權杖的檔案路徑。您應該會認出這個路徑。
credential_source.url 傳回外部權杖的端點。驗證程式庫會將要求傳送至這個網址,並將回應傳送至 token_url 端點。

下列其中一項:

  • 雲端供應商提供的知名端點。
  • 您明確設定的端點,用於提供權杖。
credential_source.executable.command 如果 GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES 環境變數設為 1,驗證程式庫會執行這項指令或可執行檔。 可執行檔或指令,會傳回外部權杖。 您應該會認得這項指令,並驗證其安全性。
credential_source.aws.url 驗證程式庫會向這個網址發出要求,以擷取 AWS 安全權杖。

下列任一確切值:

  • http://169.254.169.254/latest/meta-data/iam/security-credentials
  • http://[fd00:ec2::254]/latest/meta-data/iam/security-credentials
credential_source.aws.region_url 驗證程式庫會向這個網址發出要求,以擷取有效的 AWS 區域。

下列任一確切值:

  • http://169.254.169.254/latest/meta-data/placement/availability-zone
  • http://[fd00:ec2::254]/latest/meta-data/placement/availability-zone
credential_source.aws.imdsv2_session_token_url 驗證程式庫會向這個網址發出要求,以擷取 AWS 工作階段權杖。

下列任一確切值:

  • http://169.254.169.254/latest/api/token
  • http://[fd00:ec2::254]/latest/api/token

後續步驟