如何使用 OAuth2 对 PHP 中的 Google Cloud API 进行身份验证

Question

I am trying to interact with Google Cloud APIs using the https://github.com/googleapis/google-cloud-php packages.

For instance, here I am issuing a request for Billing Accounts:

$client = new CloudBillingClient();
$accounts = $client->listBillingAccounts();

foreach ($accounts as $account) {
    print('Billing account: ' . $account->getName() . PHP_EOL);
}

This obviously doesn't work as there are no credentials, and throws an error:

Google\ApiCore\ValidationException
Could not construct ApplicationDefaultCredentials 

So how do I authenticate to get the Billing query to work? To be clear, I can use another OAuth2 library to get an access_token, no problems. For example in this Laravel controller:

use League\OAuth2\Client\Provider\Google as GoogleProvider;

class GoogleAuthController extends Controller
{
    public function index()
    {
        $provider = new GoogleProvider([
            'clientId'     => $clientId,
            'clientSecret' => $clientSecret,
            'redirectUri'  => $redirectUri // will use this same url 'index'
        ]);

        $authUrl = $provider->getAuthorizationUrl([
            'scope' => [
                'https://www.googleapis.com/auth/cloud-platform'
            ]
        ]);

        // This is the first request for authorization
        if (empty($_GET['code']))
        {
            session()->put('oauth2state', $provider->getState());
            return redirect($authUrl);
        }
        // This is the returned request from Google
        else
        {
            $token = $provider->getAccessToken('authorization_code', [
                'code' => $_GET['code']
            ]);

            // I HAVE A TOKEN NOW! I can do a request using Guzzle, like below, and it works fine.
            // But surely Google's package should allow me to do this?!?!?

            $response = Http::get('https://cloudresourcemanager.googleapis.com/v1/projects', [
                'access_token' => $token
            ]);
            return $response;
        }
    }
}

However, I would like to leverage the power of Google's already-built libraries.

Looking through the Google Auth package for PHP ( https://github.com/googleapis/google-auth-library-php ) I see lots of mention of OAuth, and it seems possible to use credentials generated by that library with the Google Cloud packages ( https://github.com/googleapis/google-cloud-php ), like the BillingClient above. But I am struggling with how .

Edit

Further to this: in jdp's answer below he uses the 'credentials' config key. Note this comment in the source of CloudBillingGapicClient: "In addition, this option can also accept a pre-constructed \Google\Auth\FetchAuthTokenInterface object or \Google\ApiCore\CredentialsWrapper} object". When I look at the OAuth2 class in Google's Auth package I see that it implements FetchAuthTokenInterface. So it seems like it should be usable to pass OAuth credentials. I am just lost as to how.

Answer 1

You can create a service account and download the credentials file, then configure application default credentials . From there clients will be automatically authenticated.

You can also provide the credentials directly when creating a client:

$client = new CloudBillingClient([
    'credentials' => '/path/to/keyfile.json'
]);

$accounts = $client->listBillingAccounts();

foreach ($accounts as $account) {
    print('Billing account: ' . $account->getName() . PHP_EOL);
}