Hi all,
I'm building a small web app that needs to make ajax calls to this API. From the docs and guides, it sounds like this is supposed to be done using a service account and generating short lived credential tokens so as not to be passing an API key to the browser.
I get the concept, but I'm having trouble ironing out the details. Can anyone help me with the following?
1. I can restrict an API key to a specific API, but how do I do the same with a service account? I want the credential tokens to grant access to nothing but this API
2. Does this mean that I need 1 service account that the credentials are being used to impersonate, then another service account or API key used by the backend to generate the short-lived credentials?
3. What are the specific roles/permissions I need to assign to these accounts/API keys? I don't see any permissions that are specific to this API.
I'm not familiar with the google cloud APIs, so I want to make sure I don't have credentials floating around that allow access to anything they shouldn't
Much appreciated if anyone can answer or point me to docs for these questions.
Thanks!