In the Google Cloud console, go to the Service accounts page.
To access GCP services, create a service account using Google cloud console (you may alternatively use gcloud CLI, REST calls or do it programmatically). Such accounts are managed by Google Cloud's Identity and Access Management (IAM). With IAM you can grant the service account granular access to specific Google Cloud resources. For example, you can define roles with specific access privileges that can be applied to selected principals (user service accounts), granting or restricting their access to specific resources like Pubsub Topics or Storage buckets.
For an overview on the different kinds of service account refer the following Google article: https://cloud.google.com/iam/docs/service-account-overview
To create a service account key file, follow the steps below:
-
-
Select a project.
-
Click the email address of the service account that you want to create a key for.
-
Click the Add key drop-down menu, then select Create new key.
-
Select JSON as the Key type and click Create to download a service account key file.
The downloaded file should have the following format:
{ "type": "service_account", "project_id": "PROJECT_ID", "private_key_id": "KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n", "client_email": "SERVICE_ACCOUNT_EMAIL", "client_id": "CLIENT_ID", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL" }
Ensure that this file is stored securely. For further details refer - https://cloud.google.com/iam/docs/service-accounts-create
The JSON file containing the access credentials can be used in your CFML code to authenticate against the GCP services.
<cfscript> pubsubSvc = getCloudService( { "vendorName" = "GCP", "credentialJSONFilePath" = expandPath('./credentials.json') }, { "serviceName" = "pubsub" } ) </cfscript>
The ProjectID can be passed in the credentials struct, if it is not present in the credentials JSON.
<cfscript> pubsubSvc = getCloudService( { vendorName = "GCP", credentialJSONFilePath = expandPath('./credentials.json'), projectID = "<yourProjectID>" }, { "serviceName" = "pubsub" } ) </cfscript>
Setting the default credentials in environment variable
You can alternatively set the default application credentials in your environment variable, by setting the system property mentioned below, thereby bypassing the need to pass the same in getCloudService method call. With this approach one can avoid embedding the credentials in the application.
GOOGLE_APPLICATION_CREDENTIALS=path/to/your/service_accont_key_file.json
<cfscript> writeOutput(server.system.environment.GOOGLE_APPLICATION_CREDENTIALS) gcpPSCred = { "vendorName" = "GCP" } gcpPSConfig = { "serviceName" = "pubsub" } pubsubSvc = getCloudService(gcpPSCred, gcpPSConfig) </cfscript>
For further details, refer https://cloud.google.com/docs/authentication/application-default-credentials#GAC
To use the cloud credentials or cloud configuration service alias defined in ColdFusion Administrator you can create the cloud service client object in the following manner:
<cfscript> pubsubSvc = getCloudService("GCPCloudCredentialsAlias", "GCPCloudServiceConfigAlias") </cfscript>