Google Cloud上的自定义身份提供商

Question

I'm a beginner when it comes to Google Cloud. I have only worked with AWS before, but for this purpose I want to give Google Cloud a try. I want to create an application where I don't have human users, but instead there are multiple instances of the same client application trying to access the pub/sub service. I would like each one of these users to come to register with my cloud function, which in return will:

• create a pub/sub topic that only this client can listen to
• return an identifier/key/something that can be used to authenticate the client the next time

How should I handle the authentication in this case? Should I create service credentials for each one of the clients? Or is there a way to provide a custom Identity Provider?

Answer 1

The first question is answered in this answer .

For the second one, the best way is for the user to be identified with Google oauth (aka a Google account).

When you create the pub/sub topic for this user, you should have already identified them, so you can set the proper permissions on the thread. Then, the user can simply call the pub/sub endpoint identified.

GCF, GAE apps, apps running on GKE, ... all of those have service accounts associated with them, so there should not be a problem to properly identify each client app running there.

If those users don't have an account (eg the client app is running outside of GCP), you can ask your human users (the ones running the client apps) to either:

• Authenticate with their user account on your client app
• Create a service account in GCP and make the client app use it

If those are not options, you can create a service account for each of your users, and provide the proper service account key file to each client.