Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Override authentication credentials

The Google Cloud client libraries for Rust automatically authenticate your requests to Google Cloud services. Some applications may need to override the default authentication. This guide shows you how to override the default.

Prerequisites

This guide uses the Cloud Natural Language API. The same concepts apply to the client libraries for other services. You may want to follow the service quickstart, which shows you how to enable the service.

For complete setup instructions for the Rust libraries, see Setting up your development environment.

Dependencies

You must declare the dependencies in your Cargo.toml file:

cargo add google-cloud-language-v2 google-cloud-auth

The default credentials

The recommended way to authenticate applications in Google Cloud is to use Application Default Credentials. Without any configuration the client libraries default to this credential type. See How Application Default Credentials work for information about you can configure this default without any code changes in your application.

First, add some use declarations to simplify the rest of the example:

    use google_cloud_language_v2::client::LanguageService;
    use google_cloud_language_v2::model::{Document, document::Type};

Initialize the client using the defaults:

    let client = LanguageService::builder().build().await?;

Use this client as usual:

    let response = client
        .analyze_sentiment()
        .set_document(
            Document::new()
                .set_content("Hello World!")
                .set_type(Type::PlainText),
        )
        .send()
        .await?;
    println!("response={response:?}");

Override the default credentials: API keys

API keys are text strings that grant access to some Google Cloud services. Using API keys may simplify development as they require less configuration than other authentication methods. There are some risks associated with API keys, we recommended you read Best practices for managing API keys if you plan to use them.

First, add some use declarations to simplify the rest of the example:

    use google_cloud_auth::credentials::api_key_credentials::Builder as ApiKeyCredentialsBuilder;
    use google_cloud_language_v2::client::LanguageService;
    use google_cloud_language_v2::model::{Document, document::Type};

This example receives the API key string as an input parameter:

pub async fn sample(key: &str) -> anyhow::Result<()> {

Use the API Keys Builder to create the credentials:

    let credentials = ApiKeyCredentialsBuilder::new(key).build();

Initialize the client using the result:

    let client = LanguageService::builder()
        .with_credentials(credentials)
        .build()
        .await?;

Use this client as usual:

    let response = client
        .analyze_sentiment()
        .set_document(
            Document::new()
                .set_content("Hello World!")
                .set_type(Type::PlainText),
        )
        .send()
        .await?;
    println!("response={response:?}");

Override the default credentials: service account impersonation

Service account impersonation allows you to make API calls on behalf of a service account. Use service account impersonation discusses this form of authentication in detail.

When you use service account impersonation, you start with an authenticated principal (your user account or a service account) and request short-lived credentials for a service account that has the authorization that your use case requires.

It is more secure than downloading a service account key for the target service account, as you do not need to hold the credentials in the file system or even in memory.

First, add some use declarations to simplify the rest of the example:

    use google_cloud_auth::credentials::Builder as AdcCredentialsBuilder;
    use google_cloud_auth::credentials::impersonated::Builder as ImpersonatedCredentialsBuilder;
    use google_cloud_language_v2::client::LanguageService;
    use google_cloud_language_v2::model::{Document, document::Type};

This example receives the service account identifier as an input parameter. This can be the service account email or the unique numeric id assigned by Google when you created the service account:

/// # Parameters
/// * `target_principal`: the email or unique id of the target service account.
///   For example: `my-service-account@my-project.iam.gserviceaccount.com`.
pub async fn sample(target_principal: &str) -> anyhow::Result<()> {

Use the impersonated service account Builder to create the credentials:

    let credentials = ImpersonatedCredentialsBuilder::from_source_credentials(
        AdcCredentialsBuilder::default().build()?,
    )
    .with_target_principal(target_principal)
    .build()?;

Initialize the client using the result:

    let client = LanguageService::builder()
        .with_credentials(credentials)
        .build()
        .await?;

Use this client as usual:

    let response = client
        .analyze_sentiment()
        .set_document(
            Document::new()
                .set_content("Hello World!")
                .set_type(Type::PlainText),
        )
        .send()
        .await?;
    println!("response={response:?}");

More Information

Learn about other authentication methods in the Rust client libraries: