Appendix C — Google auth via cli

Important

This method of creating google credentials uses the gcloud command line tool. It’s a bit more esoteric that the web-based setup we do in Part 2: Google auth, but I’m preserving it here.

There is a point in class when your computer will need access to your Google Drive account. Much like ssh keys, we’ll need specific credentials that work only for you. We will use the Google Cloud Project’s command line interface tool to do this. Otherwise known as the gcloud CLI.

IMPORTANT: You must have and use a PERSONAL Gmail/Google account for this process. Your UTMail Google account will not work.

C.0.1 Install Google Cloud tools

Again, differences between macOS and Windows.

To make the installation of packages simple, we are going to use the MacOS package manager brew to install some Google Cloud tools. You should already have brew installed from earlier in the semester.

  1. Run the following to install the Google Cloud SDK

    brew install --cask google-cloud-sdk

  2. Test: Run gcloud --version and make sure a version number is returned.

  1. Follow the instructions found in this link to download and install the gcloud CLI tool.
  2. Test: Once the installation has finished, run the command gcloud --version in your terminal, and you should get some output similar to this: Google Cloud SDK 428.0.0

C.0.2 Authenticate our session

We are now going to authenticate our Google credentials on our local machine.

Make sure to select your personal gmail account for this part. If you are logged into your utexas.edu email, you won’t have permission to do what we need to do. It works best if you log out of all your accounts in all your browsers (Chrome, Safari, Edge, etc) before you start.

  1. In a Terminal, use the following command:

    gcloud auth login --brief --enable-gdrive-access

This will open a browser and ask you to log into your Google account. Select your personal gmail account, you will be sent to a permissions screen that will look something like this:

gcloud auth
  1. Click Allow and you will have given your computer access to manage files on your Google Drive and in the Google Cloud Project.
  2. In the same browser that opened, go to console.cloud.google.com, where it should ask you to OK the terms of service.

C.0.3 Create and configure project

Again, be in your personal Google account as you will have to authenticate again.

We are going to run through several gcloud commands to set you computer to access Google Docs and Google sheets through programing. It’s a lot of ecsoteric steps and things could go wrong at each step. I don’t outline the output you get in return, but there can be a little or a lot.

Just keep an eye out for ERROR or can't find [whatever] and hollar if that happens.

Important

You have to edit some of the commands below to be personal to you. Everywhere you see icj-YOURNAME you need to edit that part of the command to use your first name, all lowercase, like icj-alex. Then you use that same value for the later commands that use icj-YOURNAME. PLEASE ASK FOR HELP IF YOU NEED IT. Important: After you paste a terminal command, to edit it you have the use the left arrow key to get to the part of the command to then delete and make changes.

  1. Do this command to create the project (but edit icj-YOURNAME as noted above):

    gcloud projects create icj-YOURNAME --set-as-default --name="ICJ Project"

  2. Do this to log in and set your project as a default:

    gcloud auth application-default login

  3. Next, we’ll create a Google service account:

    gcloud iam service-accounts create generic-service-account

  4. Next we need to bind the service account to our project with the command below. You should get a reply that reports bindings for roles of editor and owner. (There are TWO places here where you have to switch out icj-YOURNAME.)

    gcloud projects add-iam-policy-binding icj-YOURNAME --member='serviceAccount:generic-service-account@icj-YOURNAME.iam.gserviceaccount.com' --role='roles/editor'

  5. Then we enable the Google Docs and Sheets API for your project:

    gcloud services enable docs.googleapis.com sheets.googleapis.com

  6. Now we’ll create a service account authorization key. This is similar to ssh key above, but for Google. Again, swap out icj-YOURNAME:

    gcloud iam service-accounts keys create "$HOME/.config/gcloud/service_account_key.json" \
    --iam-account=generic-service-account@icj-YOURNAME.iam.gserviceaccount.com

  7. Then add the key to your .bash_profile with this commaned:

    echo 'export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.config/gcloud/service_account_key.json"' >>~/.bash_profile

  8. Sync your terminal with the updated bash profile:

    source ~/.bash_profile

Yes, that was a lot. Hopefuly it worked. We’re about to find out.

NOTE: It is absolutely imperative that you DO NOT commit the contents of service_account_key.json as a file in a project. If someone else were able to see the contents of that file, they could execute any action that service account has in its abilities. Since service_account_key.json is in the .gitignore file, you should not be able to check it in, but it is important to remember that for the sake of transparency.

C.1 Test these settings

  1. Create a folder in your icj folder called yourname-test.

  2. Open that folder in Visual Studio Code.

  3. Open a VS Code Terminal and run:

    degit utdata/icj-google-fetch-test#main

You should get this in return:

> cloned utdata/icj-google-fetch-test#main

And it will download a bunch of files into your folder.

  1. Run npm install. This will also download a bunch of files. It might take a couple of minutes to run.
  2. Run gulp fetch.

If everything works, you should have a return like this:

$ gulp fetch
[14:38:53] Using gulpfile ~/Documents/icj/icj-fetch-test/gulpfile.js
[14:38:53] Starting 'fetch'...
[14:38:53] Finished 'fetch' after 8.61 ms
Downloaded `library` (1RgMhjtkXlbbf9uzSzy_xPRKwxcVZIZqVytgM_JoU4E4)
Downloaded `bookstores` (1gDwO-32cgpBDn_0niV0iu6TqQTaRDr4nmSqnT53magY)

Your path might differ for “Using gulpfile”, but what you are looking for is that two files were downloaded, one called library and one called bookstores.

You should be done!

C.2 Google auth access

There is one gulp command that will not work in Codespaces unless you jump through some extra hoops.

gulp fetch is the command that downloads Google Docs and Sheets documents as JSON, as outlined in project.config.json. The process expects to find an authorization file on your own computer that we set up in icj-setting-up Part 2, but that file doesn’t exist on the Codespaces virtual machine.

You’ll need to set up two environment variables to make it work.

NOTE: It is absolutely imperative that you DO NOT commit the contents of service_account_key.json to your branch at all. If someone else were able to see the contents of that file, they could execute any action that service account has in its abilities. Since service_account_key.json is in the .gitignore file, you should not be able to check it in, but it is important to remember that for the sake of transparency.

We will be following the process shown here.

As you follow those steps you’ll need the information below.

C.2.1 Codespaces secret

  • The “Name” of the secret will be SERVICE_ACCOUNT_CREDENTIALS.

  • The “Content” of the secret will be the contents of the file created in ICJ setup Part 2. You should be able to “copy” that file from your terminal by running the following command:

    pbcopy < $HOME/.config/gcloud/service_account_key.json

    Return to your web browser and for the “Value” do Cmd-v to paste the contents of your clipboard.

  • At the step you add repositories, you’ll need to add your repo that is a copy of the icj-project-rig.

If you build other projects that need the credential, you can come here and edit the secret to add the new repo.

C.2.2 Might have to restart

If you already had a Codespace running, you might have to stop and restart it to recognize the new secret.

You could try this command below first, but I’m not certain it will work.

npm run codespace-google-auth

After doing that, you should be able to run gulp fetch to update the data JSON files.

C.3 gcloud cli commands

This is for Prof. McDonald’s memory and you shouldn’t have to worry about it.

We end up using the Google Cloud SDK to set up authorization to allow programming access to Google Docs and Sheets. Some useful commands:

  • gcloud auth list tells you which account you are in and how to set a new active account.
  • gcloud auth revoke logs you out of your active account. --all flag logs you out of all accounts, I think.
  • gcloud projects list shows all the projects for the account.
  • gcloud config get-value project shows you which project you are in.
  • gcloud config set project [project-id] but replace [project-id] with the project name.

See Setting Up Part 2 for commands to set up a project and enable the APIs.