Google Cloud Platform REST API: Acquiring Access Token and API Key

Question

I wish to use the Google Cloud Platform (GCP) REST API locally, starting with the apps.services.versions.instances.list method.

The route works when I use "Try this API" here, but how would I use this method locally with curl?

"https://appengine.googleapis.com/v1/apps/$APPSID/services/$SERVICESID/versions/$VERSIONSID/instances?key=$YOUR_API_KEY" \
--compressed \
--header 'Accept: application/json' \
--header "Authorization: Bearer $YOUR_ACCESS_TOKEN"

#=>

{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "status": "UNAUTHENTICATED"
  }
}

How do I access $YOUR_API_KEY and $YOUR_ACCESS_TOKEN? I have been unable to find either in the official GCP docs.

Answer 1

The fastest way is use Cloud Shell:

1. List projects to get project id

   gcloud projects list
   
   # save you project id
   PROJECT_ID="YOURS_PROJECT_ID"
   

2. Get ACCESS_TOKEN

   ACCESS_TOKEN=$(gcloud auth print-access-token)
   

3. Get API_KEY

   API_KEY=$(curl -X POST https://apikeys.googleapis.com/v1/projects/$PROJECT_ID/apiKeys?access_token=$ACCESS_TOKEN | jq -r ".currentKey")
   

4. Print API_KEY and ACCESS_TOKEN

   echo $ACCESS_TOKEN
   echo $API_KEY
   

To run above commands on local machine first you need authenticate using command gcloud auth login and follow instructions.

Alternatively api key could be readed or created from console go to Navigation Menu -> APIs & Services -> Credentials and next click on CREATE CREDENTIALS -> API Key.

---

By reading the documentation (clicking on question mark next to Credentials) we can read:

• [YOUR_API_KEY] - "Include an API Key to identify your project, used to verify enablement and track request quotas."
• [YOUR_ACCESS_TOKEN] - "Include an access (bearer) token to identify the user which completed the OAuth flow with your Client ID."

Answer 2

You no longer need an API key. It's a legacy feature of Google APIs, provide only an access token is enough.

In command line you can do this

 curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://....

All the Google Cloud APIs are compliant with access token authentication. Few are still compliant with API keys.

About APIKeys API

This API has been published in beta and now closed. At least the documentation part. I don't know if this API is stable or subject to change. You can create an API key per API like this (very similar to Bartosz Pelikan answer)

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
   -X POST https://apikeys.googleapis.com/v1/projects/PROJECT_ID/apiKeys

As you can see, I reuse the access token authentication mode