Service Account Credentials usage in .NET library

[Matt Yandek]

We are currently looking to use PubSub in conjunction with the .NET Android Management library.  Both it and the Google Play EMM Management library allow us to construct a ServiceAccountCredential, which can be used to initialize the client used to make REST calls to the respective services using only the service account UPN and private key.  These values are obtained from the JSON credential file we download from the Google Developers console.

From what I've read and also from testing, it seems the only way to provide credentials is through setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to a location on disk where the JSON credential file resides.  Due to various reasons, it is not possible for us to store this file on disk or its contents in memory; the only thing we have available is the private key and the service account UPN.  Is there something we can do to create instances of PublisherClient and SubscriberClient with only those 2 pieces of information?

Thanks,

Matt

[Kenworth (Google Cloud Platform)]

Can you please clarify why are you not able to make the Publisher/SubscriberClient calls if you are already able to make REST calls (as you mentioned on the first part)?

[Matt Yandek]

Those 2 .NET libraries do not require the JSON file be present or the environment variable set in order to obtain credentials needed to communicate with the service.  Both of these classes can be initialized with a Google.Apis.Auth.OAuth2.ServiceAccountCredential object, which can be constructed with just the UPN of the service account and the private key:

ServiceAccountCredential credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountUpn)
{
    Scopes = new List<string>() { AndroidEnterpriseService.Scope.Androidenterprise }
}.FromPrivateKey(serviceAccountPrivateKey));

return new AndroidEnterpriseService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credential,
    ApplicationName = "MyServiceName"
});

Due to how we must store this information in our service, this works great.  From what I can tell, I cannot do something similar when creating a PublisherClient or SubscriberClient instance.  There doesn't seem to be a way to provide credentials that's at least straightforward (this Create method looks somewhat promising, but I don't see an obvious way to be able to do that).  Basically, we aren't really able to store the JSON on disk and set the environment variable in our environment, so I'm looking for a way to programmatically provide the credentials to the Subscriber and Publisher clients.

On Tuesday, October 3, 2017 at 10:09:18 PM UTC-4, Kenworth (Google Cloud Platform) wrote:

[Matt Yandek]

An alternative solution would be to use the PFX certificate (PKCS #12) containing the private key to authenticate with the PubSub endpoint - we actually would prefer this method instead if it's somehow possible.

[Matt Yandek]

OK, I finally figured out how we can use our existing credentials and use them for PublisherClient or Subscriber client.  Here's what needs to happen:

ServiceAccountCredential credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountUpn)
{
    Scopes = new List<string>() { AndroidEnterpriseService.Scope.Androidenterprise }
}.FromPrivateKey(serviceAccountPrivateKey));

ChannelCredentials channelCredentials = credential.ToChannelCredentials();
Channel channel = new Channel("pubsub.googleapis.com:443", channelCredentials);
SubscriberClient subscriberClient = SubscriberClient.Create(channel);

The key was the ToChannelCredentials extension method to convert the IAccessToken to the correct credential needed for GRPC.