如何继承认证或授权Python中的Cloud Function访问其他Google API？

Question

I locally developed a Python script that successfully downloads a file from Google Drive using the Drive API and then uploads a file using the Sheets API.

To authorize my script, I downloaded the credentials.json and had my account authorized in IAM, and was using Oauth2. Here's the relevant part of the script for authentication:

def main():
    creds = None
    
    if os.path.exists('token.json'):
        creds = Credentials.from_authorized_user_file('token.json', SCOPES)
    # If there are no (valid) credentials available, let the user log in.
    if not creds or not creds.valid:
        if creds and creds.expired and creds.refresh_token:
            creds.refresh(Request())
        else:
            flow = InstalledAppFlow.from_client_secrets_file(
                'credentials.json', SCOPES)
            creds = flow.run_local_server(port=0)
        # Save the credentials for the next run
        with open('token.json', 'w') as token:
            token.write(creds.to_json())

But I'm confused as to how to implement this on Cloud Functions. Does a Cloud Function start already authenticated? I think my default service account is setup to access all the APIs. I'm lost because I don't know where to start in terms of authentication.

Answer 1

When you create your Cloud Function from the Console you need to click on dropdown to open the section ' Runtime, build, connections and security settings' from there you can choose the service account that the function will use. It might be the default App Engine service account or any other that has needed roles. You don't need to implement authentication in your code.

BTW there is also another method for authenticating while developing locally. There is a feature in GCP SDK that's called deafault application credentials. It's enough to export the variable GOOGLE_APPLICATION_CREDENTIALS and assign the path to the credentials.json file and your code will work (put in.bashrc to have it run always) you can read more here