To access Google Cloud products and services programmatically, you use
Cloud APIs
. These APIs expose a simple JSON REST
interface. The recommended way to access the Cloud APIs is to use the
Cloud Client Libraries.
Cloud Code makes it easy to add the Cloud Client Libraries
for the Cloud APIs and language you're using to your project. In the same view,
you can search for samples for each API and easily incorporate samples into your
application.
Browsing Cloud APIs
To explore all available Google Cloud APIs:
Click
Cloud Code
and then expand the
Cloud APIs
section.
The Cloud APIs view groups Cloud APIs by category.
To view details of an API, click the API name. Details such as the service
name, status, installation instructions for client libraries, documentation,
and code samples are displayed.
Enabling Cloud APIs
To enable Cloud APIs for a project using the API details page, follow these
steps:
- On the Cloud API details page, choose the project to enable the Cloud API for.
- Click
Enable API
. After the API is enabled, a message is displayed
to confirm the change.
Adding client libraries to your project
In addition to exploring and enabling Cloud APIs using Cloud Code,
you can add a language-specific client library to your project.
To install a client library, follow the instructions on the API details page
for your language.
Using API samples
You can search for and use code samples for each API in the API browser.
Click
Cloud Code
and then expand the
Cloud APIs
section.
To open the detail view, click the name of an API.
To view code samples for the API, click
Code Samples
.
To filter the list of samples, type text to search for or choose a
programming language from the
Language
list.
To view a sample, click the name of the sample. There are also options to
copy the sample to your clipboard or view the sample in GitHub.
Setting up authentication
After you've enabled the required APIs and added the necessary client
libraries, you need to configure your application for it to be successfully
authenticated. Your configuration depends on your type of development and
the platform you're running on.
After you complete the authentication steps, your application can authenticate
and is ready to be deployed.
Local development
Local machine
If you logged into Google Cloud in your IDE,
Cloud Code sets your Application Default Credentials (ADC)
and you can skip this step. If you logged into Google Cloud
outside your IDE (for example, using the gcloud CLI),
set up your ADC and let Google Cloud client libraries authenticate
through ADC by running:
gcloud auth login --update-adc
minikube
If you logged into Google Cloud in your IDE,
Cloud Code sets your Application Default Credentials (ADC)
and you can skip this step. If you logged into Google Cloud
outside your IDE (for example, using the gcloud CLI),
set up your ADC and let Google Cloud client libraries authenticate
through ADC by running:
gcloud auth login --update-adc
- Start minikube by running
minikube start --addons gcp-auth
.
This command mounts your ADC in your pods. For detailed information about
minikube authentication with Google Cloud, see the
minikube gcp-auth docs
.
Other local K8s clusters
If you logged into Google Cloud in your IDE,
Cloud Code sets your Application Default Credentials (ADC)
and you can skip this step. If you logged into Google Cloud
outside your IDE (for example, using the gcloud CLI),
set up your ADC and let Google Cloud client libraries authenticate
through ADC by running:
gcloud auth login --update-adc
- To make sure that the Google Cloud client libraries can find
your credentials, mount your local
~/.config/gcloud
directory
in your Kubernetes pods by editing the deployment manifests.
- Set your Google Cloud Project ID as an environment variable
named
GOOGLE_CLOUD_PROJECT
.
Kubernetes pod configuration example:
apiVersion: v1
kind: Pod
metadata:
name: my-app
labels:
name: my-app
spec:
containers:
- name: my-app
image: gcr.io/google-containers/busybox
ports:
- containerPort: 8080
env:
- name: GOOGLE_CLOUD_PROJECT
value:
my-project-id
volumeMounts:
- mountPath: /root/.config/gcloud
name: gcloud-volume
volumes:
- name: gcloud-volume
hostPath:
path:
/path/to/home
/.config/gcloud
Cloud Run
If you logged into Google Cloud in your IDE,
Cloud Code sets your Application Default Credentials (ADC)
and you can skip this step. If you logged into Google Cloud
outside your IDE (for example, using the gcloud CLI),
set up your ADC and let Google Cloud client libraries authenticate
through ADC by running:
gcloud auth login --update-adc
Local development with APIs that require a service account
Some APIs, such as the Cloud Translation API, require a service account with
appropriate permissions to authenticate your requests. For more information, see
Creating and managing service accounts
.
For a quickstart that uses a service account, see
Use the Cloud Client Libraries in Cloud Code
.
To open a terminal, click
Terminal
>
New Terminal
.
Create a service account to authenticate your API requests:
gcloud iam service-accounts create \
SERVICE_ACCOUNT_ID
\
--project
PROJECT_ID
Replace the following values:
SERVICE_ACCOUNT_ID
: the service account ID
PROJECT_ID
: the project ID
To find these IDs, in Google Cloud, click the
Navigation menu
at the
top-left of the screen, hold your pointer over
IAM & Admin
and click
Service Accounts
.
The
Email
column shows the unique
SERVICE_ACCOUNT_ID
and
PROJECT_ID
for each of your service accounts in the
following format:
SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com
For example: A service account email address of
my-service-account@my-project.iam.gserviceaccount.com
has the following
values:
SERVICE_ACCOUNT_ID
:
my-service-account
PROJECT_ID
:
my-project
Grant your service account the appropriate role. The following sample
command grants the Cloud Translation API User role. To determine the role to
grant, see the documentation for the Cloud API you're using.
gcloud projects \
add-iam-policy-binding \
PROJECT_ID
\
--member='serviceAccount:
SERVICE_ACCOUNT_ID
@
PROJECT_ID
.iam.gserviceaccount.com' \
--role='roles/cloudtranslate.user'
Create a service account key:
gcloud iam service-accounts keys \
create key.json --iam-account \
SERVICE_ACCOUNT_ID
@
PROJECT_ID
.iam.gserviceaccount.com
Set the key as your default credentials:
export \
GOOGLE_APPLICATION_CREDENTIALS=key.json
Optional: To permit users to
impersonate the service account
,
run the
gcloud iam service-accounts add-iam-policy-binding
command to grant a user the Service Account User role
(
roles/iam.serviceAccountUser
) on the service account:
gcloud iam service-accounts add-iam-policy-binding \
SERVICE_ACCOUNT_ID
@
PROJECT_ID
.iam.gserviceaccount.com \
--member="user:
USER_EMAIL
" \
--role="roles/iam.serviceAccountUser"
Replace the following values:
USER_EMAIL
: the email address for the user
Remote development
GKE
Depending on the scope of your project, you can choose how you
authenticate Google Cloud services on GKE:
- (Development only)
- Create a GKE cluster
with the following settings:
- Make sure that you're using the service account GKE uses by
default, the Compute Engine default service account, and that
Access scopes
is set at
Allow full access to
all Cloud APIs
(both settings are accessible in the
Node Pools
>
Security
section). Since the
Compute Engine service account is shared by all
workloads deployed on your node, this method
overprovisions permissions and should only be used
for development.
- Make sure that Workload Identity isn't enabled on your
cluster (in the
Cluster
>
Security
section).
- Assign the necessary roles to your service account:
- (Recommended for production)
- Configure your GKE cluster and application with Workload Identity
to authenticate Google Cloud services on GKE. This associates your
Kubernetes service account with your Google service account.
- Configure your Kubernetes Deployment to reference the Kubernetes service
account by setting the
.spec.serviceAccountName
field in your
Kubernetes Deployment YAML file. If you're working on an app created from a
Cloud Code sample application, this file is located under the
kubernetes-manifests folder.
- If the Google Cloud service you're trying to access
requires additional roles, grant them for the Google service
account you're using to develop your app:
Cloud Run
-
To create a new unique service account for deploying your Cloud Run
application, navigate to the Service Accounts page and then select
the project that your secret is stored in.
Go to the Service Accounts
page
-
Click
Create service account
.
-
In the
Create service account
dialog, enter a descriptive name
for the service account.
-
Change the
Service account ID
to a unique, recognizable value
and then click
Create
.
-
If the Google Cloud service you're trying to access requires
additional roles, grant the roles, click
Continue
, and then click
Done
.
- To add your service account to your deploy configuration:
- Using the Cloud Code status bar, choose the
Cloud Run: Deploy
command.
- In the Cloud Run Deployment UI, under
Revision Settings
, in the
Service Account
field,
specify your service account.
Cloud Run
Depending on the scope of your project, you can choose how you
authenticate Google Cloud services on GKE:
- (Development only)
- Create a GKE cluster
with the following settings:
- Make sure that you're using the service account that
GKE uses by default, the
Compute Engine default service account, and that
Access scopes
is set at
Allow full access to
all Cloud APIs
(both settings accessible in the
Node Pools
>
Security
section). Since the Compute Engine
service account is shared by all workloads deployed on your node,
this method overprovisions permissions and should only be used
for development.
- Make sure that Workload Identity isn't enabled on your cluster (in the
Cluster
>
Security
section).
- Assign the necessary roles to your service account:
- (Recommended for production)
- Configure your GKE cluster and application with Workload Identity
to authenticate Google Cloud services on GKE. This associates your
Kubernetes service account with your Google service account.
- To add your service account to your deploy configuration:
- Using the Cloud Code status bar, choose the
Cloud Run: Deploy
command.
- In the Cloud Run Deployment UI, under
Revision Settings
, in the
Service Account
field,
specify your service account.
- If the Google Cloud service you're trying to access requires additional
roles, grant them for the Google service account you're using to develop
your app:
Remote development with Secret Manager permissions enabled
If you're developing remotely, using a service account for authentication,
and your application uses
secrets
, you
need to complete a few more steps in addition to the
remote development instructions
. These steps assign your Google service account
the
role required
to access a particular Secret Manager secret:
Click
Cloud Code
and then expand the
Secret Manager
section.
![Secret Manager in Cloud Code open with two secrets listed](/static/code/docs/vscode/images/secret-manager-ui.png)
Right-click the secret and select
Edit Permissions in Cloud console
.
This launches the Secret Manager configuration page for that
secret in your web browser.
![Right-clicked secret in Secret Manager panel](/static/code/docs/vscode/images/secret-manager-permissions.png)
In Google Cloud console, click
Permissions
and then click
Add
.
In the
New principals
field, enter the name of your service account.
In the
Select a role
field, choose the
Secret Manager Secret Accessor
role.
Click
Save
.
Your service account now has permission to access this particular secret.
Get Support
To send feedback, report issues on
GitHub
,
or ask a question on
Stack Overflow
.