PubSub: (Python) How to use JSON string as the credential for Client initialization instead of the filepath

[reselbob]

Is it possible to use just the JSON authentication credentials instead of a declaring the path to the file the contains the JSON, like so with the Python SDK library:

import os
from google.cloud import pubsub
json_string = os.environ['PUBSUB_JSON']
creds = json.loads(json_string)
client = pubsub.PublisherClient(credentials=creds)

I can do this technique in Node, but I am having trouble figuring out how to do the JSON only initialization in Python.

Thanks in advance.

[dhermes]

@reselbob Thanks for asking, here is how you'd accomplish that:

import json
from google.oauth2 import service_account

info = json.loads(json_string)
credentials = service_account.Credentials.from_service_account_info(info)

Though rather than setting the PUBSUB_JSON environment variable, you could just set theGOOGLE_APPLICATION_CREDENTIALS environment variable and then

import google.auth

credentials, project = google.auth.default()

will do exactly what you want.

In general, future questions like this may be better asked on https://github.com/GoogleCloudPlatform/google-auth-library-python/.

[dhermes]

I have closed the issue since (AFAICT) I have answered your question. If this is not the case, I'm happy to continue discussing and / or re-open.

[reselbob]

Help?

Set GOOGLE_APPLICATION_CREDENTIALS to what, the JSON?

[dhermes]

See: https://googlecloudplatform.github.io/google-cloud-python/latest/core/auth.html

I now realize you had set PUBSUB_JSON to the string itself rather than to a file containing the string.

[reselbob]

Right, I just want to use the JSON string, not the file path. I looked at the link you provided. Seeing a lot of language about using the file path. Can't seem to locate an example about how to use the JSON string. But, might be missing something. As I mentioned, I can do it in NodeJS. Thanks for your continuing attention.

[dhermes]

My first example (with from_service_account_info()) should work just fine if you already have the key file loaded as a JSON string.

[reselbob]

I am having a problem when using the JSON string.

json_string = os.environ['PUBSUB_JSON']

info = json.loads(json_string)
creds = service_account.Credentials.from_service_account_info(info)
client = pubsub.PublisherClient(credentials=creds)
topic_path = client.topic_path(os.getenv('GOOGLE_CLOUD_PROJECT'), 'cron_job_topic')
data = data.encode('utf-8')
future = client.publish(topic_path, data=data)

gives me an error:

google.auth.exceptions.RefreshError: ('invalid_scope: Empty or missing scope not allowed.', '{\n  "error" : "invalid_scope",\n  "error_description" : "Empty or missing scope not allowed."\n}')

The JSON in question works fine when declared using a file path.

[dhermes]

See my answer in googleapis/google-auth-library-python#225. Also note that you may have discovered a "bug" in Pub / Sub (#4479).

[itsPav]

Is using env variables safer/more secure than using the json file?
What difference does it really make?

[ethagnawl]

What difference does it really make?

When using environment variables, you never have to worry about credentials mistakenly being leaked via VCS.

[aaronamm]

@dhermes Thank you so much.