Engineering. Software.

Hardware. And more.

Bypass App Engine Client Libraries' Authentication On Local Development

In this post you'll see how to bypass the App Engine Client Libraries' authentication step by mocking the credentials object. This will keep you from unnecessarily leaving user credentials lying around if you're only working with services that can be emulated locally.

There is curious thing that happens when you're dealing with Google's App Engine Client libraries on a local development environment. They require authentication even when connecting to the a development emulator; for example, the Datastore Emulator. And I don't mean it checks for authentication when starting dev_appserver.py or when the client library is instantiated in your Python Code; I mean in every call. Every single query to Datastore, for instance, triggers a authentication check inside the library. So you really need to get your credentials straight.


The uncool way

You can resolve this discussion by simply authenticating your local libraries with the command bellow as stated by the official documentation.

$ gcloud auth application-default login

The thing is that this command will store your user credentials, which will work as a proxy for a service account, in a JSON file at ~/.config/gcloud/. This file will enable your local libraries to authenticate properly during each call. Now hear me out. You're storing a key that can potentially enable anyone to fetch all your App's information and data inside a file located at your home folder.

Call me crazy but this feels a bit overkill. I really couldn't find any security measures in the documentation that would prevent a malicious individual or software to cause mayhem with a stolen key. I know we always try to make our workspace as safe as possible; but who knows, accidents happen.


And the craziest thing is that you shouldn't need this key to be lying there when your development environment is only based on Google services that have local emulators - this include Cloud Big Table, Datastore and Firestone. If your App uses any other service or Google API, you'll need to authenticate, since your local App will access the real service anyway.


The cool way

Now, I'll show you a simple trick that bypasses the need for authentication in the specific case of libraries that connect to emulated services. Just use the following snippet whenever you instantiate the service Client.

That's it. Whenever your App is in production, it will authenticate and connect to the real service. When local, the mocked credentials will always result in an successful authentication. No need for user keys anymore. It is kind of obvious that this will not work if your libraries are trying to connect to the local instance of the emulator, so check if your environment variables are set accordingly.


This trick isn't breaking any rules. You can actually find this being done if you dig deep in Google Python API's Git. Check it out here! If you to know more, read the documentation for gcloud auth and Google Authentitation.


Happy coding!




©2019 by Bernardo Rodrigues.