Re: Google Cloud Monitoring REST API authenticati...

igorbach · 01-19-2023 07:28 AM

I'm trying to create a monitoring solution for the Google Cloud Platform based on Goggle Cloud REST API

I've configured Oauth 2.0 ID, with the correct redirect_uri configured

I have an internal application , on the OAuth consent screen. I've configured authorized domains to get the auth response in an external application (postman)

I faced one issue - anytime, when I'm trying to create a new authentication call like

https://accounts.google.com/o/oauth2/auth?client_id=<my_client_id>.apps.googleusercontent.com&redirect_uri=https://oauth.pstmn.io/v1/callback&scope=https://www.googleapis.com/auth/monitoring.read&response_ty...

I'm getting the consent screen and I have to authorize my Google cloud technical account to accept the new connection

And it has repeated every time when I'm trying the same request from another client (browser/host machine)

On Google Cloud Docs I found the only way to authenticate the user with gcloud utility usage

https://cloud.google.com/docs/authentication/rest

But the general purpose of my solution - is full agentless monitoring without external libraries or utilities usage - only native rest-API calls.

Could you help me with my findings - is it possible to get the authorization token via HTTP request without user interaction on the first call?

kolban

I'm getting the sense that you are wanting to make Google Cloud Monitoring API calls. In order to make these API calls you have to present Google Cloud with an authenticated identity which is authorized to make the requests. You have been looking at using the OAuth technology to make the requests however, you would ideally like to make these requests from an "agent" without having any end user interaction.

My immediate thinking is using a Google Cloud Service Account. A service account is a Google identity that has an associated credentials file that, if present to the client/caller can be used to authenticate the caller to Google. OAuth isn't seend/used by you (the developer). Maybe tell us a little more about where the client application that is making Cloud Monitoring API calls resides.

igorbach

@kolban Thank you for your reply!

I'm successfully used service account JWT authentication with google-auth-library for the Node.js, so, I guess, that I have to repeat the authentication actions functionality from this library in JS calls to achieve my goal (don't use external libraries)

Maybe, you could help me with another problem?

As far as I researched Google Moonitoring API - I see, that approach used - 1 Request-1URL-1Metric

instance/cpu/utilization

etc...

But - is there a weay to get bulk monitoring data per one request?

kolban

Sadly I'm no expert but my immediate thought is "no ... I don't think so". When we look at retrieving metric data, I have always seen this API call used:

https://cloud.google.com/monitoring/api/ref_v3/rest/v3/projects.timeSeries/query

This allows us to request a metric value using the "Metric Query Language". I'm not seeing that we can retrieve multiple metrics per call. What I'd suggest is to look at what resource and metric you want to retrieve data upon and submit an API request and see what you get back. From there, you'll get a feel for the sort of data you might be able to retrieve. What is the bigger story? What are you seeing as the concern for making multiple monitoring calls?

Google Cloud Monitoring REST API authentication