Oauth2在aws lambda上谷歌人api

Question

I'm trying to use google's people api on aws lambda. As the api requires oauth2 I tried to fetch the oauth2 token locally and then transfer it to aws lambda:

I store the secrets with this function:

from oauth2client.file import Storage
from oauth2client import client, tools

def get_credentials():
    credential_path = os.path.join(SCRIPT_DIR, 'people-api-secret.json')
    store = Storage(credential_path)
    credentials = store.get()
    if not credentials or credentials.invalid:
        flow = client.flow_from_clientsecrets(CLIENT_SECRET_FILE, SCOPES)
        flow.user_agent = APPLICATION_NAME
        credentials = tools.run_flow(flow, store)
        print('Storing credentials to ' + credential_path)
    return credentials

Then I transfer people-api-secret.json to aws lambda using the serverless framework. But when I try to load the secret on lambda, then store.get() returns None . The file is really there on AWS ( os.path.isfile(credential_path) returns True ).

Is it not possible to copy those secrets on another computer/IP address? If not: what would the "minimal way" of getting this to work without doing the "full fledged way" described eg here

Update Found out that it's a simple "permission denied" error on lambda: print(open(credential_path).read()) yields [Errno 13] Permission denied: '/var/task/people-api-secret.json' . I guess those variables should be put into environment instead of being read from file?

Answer 1

Upload your json with the secret key just as you're doing, then do this:

#import GoogleCredentials
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()
service = discovery.build('people', 'v1', credentials=credentials,cache_discovery=False)

On your lambda configuration set GOOGLE_APPLICATION_CREDENTIALS as environment variable key and your credentials json file name as value.

It works on all my lambdas that use google api.

Answer 2

While giving the right permissions would probably have worked (according to Tom Melos comment and this github issue ) I wanted to put the secret into an environment variable because this is described as best practice.

First I needed a way to get the token, so I ran this (that needs the file client_secret.json which you can download from the google api console following this guide ):

from oauth2client import client, tools

class MyStorage(client.Storage):
    def locked_put(self, credentials):
    print("="*70)
    print("client_id: {}\nclient_secret: {}\nrefresh_token: {}".format(
        credentials.client_id, credentials.client_secret, credentials.refresh_token))
    print("="*70)

flow = client.flow_from_clientsecrets('client_secret.json', 'https://www.googleapis.com/auth/contacts.readonly')
flow.user_agent = 'my-user-agent'
storage = MyStorage()
tools.run_flow(flow, storage)

The resulting three strings I put into the environment following this guide and then was able to do this:

import os
from oauth2client import client
from apiclient import discovery

client_id = os.environ['GOOGLE_PEOPLE_CLIENT_ID']
client_secret = os.environ['GOOGLE_PEOPLE_CLIENT_SECRET']
refresh_token = os.environ['GOOGLE_PEOPLE_REFRESH_TOKEN']
credentials = client.GoogleCredentials(None, 
    client_id, 
    client_secret,
    refresh_token,
    None,
    "https://accounts.google.com/o/oauth2/token",
    'my-user-agent')
http = credentials.authorize(httplib2.Http())
service = discovery.build('people', 'v1', http=http,
    discoveryServiceUrl='https://people.googleapis.com/$discovery/rest',
    cache_discovery=False)

For more details (personally I just learned the basics of Oauth2) I've documented here what happens in these requests and why we need the refresh_token here.