How to oAuth Google API from Lambda AWS?

Asked 10/2, 2017 at 23:47 Answered 27/6, 2020 at 18:42

google-calendar-api google-api-client alexa-skills-kit

I am building Alexa Skill for Google calendar. The client side code works as expected on local machine because I can authenticate the local machine using the link. But, when I deploy the code on AWS Lambda there is no way that I can authenticate as I cannot input code via AWS console.

I am getting trouble in setting up authentication of Google Calendar API when deployed on AWS lambda.

This documentation doesn't help much to me Google Implementing Server Side Authentication

Dystrophy answered 10/2, 2017 at 23:47 Comment(0)

You should create a service account. Those are designed especially for server-to-server communication. Documentation can be found here: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

The problems with the solutions from other answers are:

API keys are insecure
Access tokens (e.g. obtained by the CLI command gcloud auth print-access-token) expire. Since Lambdas are stateless, there's no way to store a token temporarily and refresh it when it's expired.

Lustihood answered 13/7, 2018 at 8:22 Comment(0)

I know this is late, but after struggling a lot with this problem, I found a solution. Do google auth with JWT

const {google} = require('googleapis');


const key ={
 client_email: process.env.CLIENT_EMAIL,
 private_key: process.env.PRIVATE_KEY,
}

const auth = new google.auth.JWT(
  key.client_email,
  null,
  key.private_key,
  ["https://www.googleapis.com/auth/analytics.readonly"],
  null
);

google.options({auth});

Gossipy answered 24/6, 2020 at 18:47 Comment(3)

I am confused as AWS lamda has a aprox 50mb package size limit and googleapis npm package is 103mb? I am going to see if it works. – Wickerwork 27/3, 2022 at 1:53

It works... must tree shake and only include parts of the npm package that you use in the function... I am using Netlify Functions – Wickerwork 27/3, 2022 at 2:1

This authentication method is not capable of getting your own channel data with mine: true – Bargeman 27/8, 2022 at 18:14

I have multiple lambdas depending a the same google credentials and token.

I store my credentials either in S3 or in DynamoDB.

My solution was to create a scheduled lambda function that refreshes the oAuth token every 55minutes. This prevents unnecessary refreshes if multiple lambdas where to run at the same time.

Letreece answered 27/6, 2020 at 18:42 Comment(1)

How do you regenerate the auth token? Please post your exact code – Bertina 27/8, 2022 at 23:57

You have to do 2 steps specified in here, if you follow correctly you will get this done.

First, (only the first time) you need to set up your project and download the GOOGLE APPLICATION CREDENTIALS you will result with one json file with auth information inside, lets suppose you call it project.json

Now you will need to execute some commands to get access tokens, download and install Cloud SDK to have access to those commands.

 gcloud auth activate-service-account --key-file=/home/panchicore/project.json

then

gcloud auth print-access-token

you will get your key at this point, now we can use it in the next step:

Second, Make a Translation API request: (how I did it and tested with python requests)

import requests

key = "KEY GOT WITH gcloud auth print-access-token"

headers = {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer {}'.format(key)
}

url = 'https://translation.googleapis.com/language/translate/v2'

data = {
  'q': 'The quick brown fox jumped over the lazy dog.',
  'source': 'en',
  'target': 'es',
  'format': 'text'
}

res = requests.post(url, json=data, headers=headers)

print res.content
>>> El rápido zorro marrón saltó sobre el perro perezoso.

Hope it helps.

Tomboy answered 3/3, 2017 at 13:15 Comment(5)

Will that token be good forever, or only for a limited amount of time? – Goulette 1/12, 2017 at 23:31

not before, now they expire and the date comes with the gcloud reponse. – Tomboy 31/1, 2018 at 14:59

Bart, this is disclaimed in my previous comment. – Tomboy 13/7, 2018 at 10:9

@panchicore, tried your solution. As said, worked for sometime and then key expired. Do you have a solution to generate auth token for Lambda function without import google cloud sdk? – Gemeinschaft 8/8, 2018 at 4:42

2 ways: the correct one: Obtain an access token from the Google Authorization Server. developers.google.com/identity/protocols/OAuth2. and the crafted one: bash script that runs the routine getting the key with gcloud auth print-access-token and posting it to a secure dynamodb table with the expiration flag, that flag is queried everytime by the cronjob running the script (basically acts as a cache). – Tomboy 8/8, 2018 at 8:59

-1

The easier way is using api keys to authenticate. https://cloud.google.com/docs/authentication/api-keys

You can make requests to some google apis like this (javascript)

const request = require('request')
request.post(`https://language.googleapis.com/v1beta2/documents:analyzeSentiment?key=${process.env.GOOGLE_API_KEY || ''}`, 
{
    json : true,
    body : {
        document : document
    }
},
(error, response, body) => {
    console.log(body)
})

Wrote answered 20/4, 2018 at 4:38 Comment(1)

API keys are insecure and many Google API's don't support them any more. – Lustihood 13/7, 2018 at 8:24

Recommended topics

Hot tags