Google Cloud Services extension pack for Quarkus
The Google Cloud Services extension pack provides Quarkus extensions for the following services:
They all share an optional common configuration property to set the project ID:
quarkus.google.cloud.project-id=<your-project-id>If the project ID is not set, the extensions will default to using ServiceOptions.getDefaultProjectId()
that will use the default project detected via Application Default Credentials.
All these extensions work with applications built as native image executables.
These extensions work well within the various Google Cloud Functions extensions available inside Quarkus as they directly authenticate via the built-in credentials, see the deploying to google cloud platform guide.
Dependency management
All Google Cloud services extensions are part of the Quarkus platform, if you’re using the platform BOM (io.quarkus.platform:quarkus-bom) there is no need to manage their version.
If you’re not using the platform BOM, you can use the Google Cloud services BOM to manage all versions:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.quarkiverse.googlecloudservices</groupId>
<artifactId>quarkus-google-cloud-services-bom</artifactId>
<version>${quarkus.google-cloud-services.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>Authenticating to Google Cloud
There are several ways to authenticate to Google Cloud, it depends on where your application runs (inside our outside Google Cloud Platform) and for which service.
The current authentication flow is as follows:
-
Check the
quarkus.google.cloud.service-account-locationproperty, if it exists, use the service account file from this location. -
Check the
quarkus.google.cloud.service-account-encoded-keyproperty, if it exists, use the service account base64 encoded content. -
Check the access token returned as part of OpenId Connect Authorization Code Grant response after a user has authenticated with Google OpenId Connect provider (see Quarkus OpenId Connect for Web Applications). This access token can be used to access Google Services on behalf of the currently authenticated user but will be ignored if the
quarkus.google.cloud.access-token-enabledproperty is set tofalse. -
Use
GoogleCredentials.getApplicationDefault()that will search for credentials in multiple places: -
Credentials file pointed to by the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable. -
Credentials provided by the Google Cloud SDK
gcloud auth application-default logincommand. -
Google Cloud managed environment (Google App Engine, Google Cloud Functions, GCE, …) built-in credentials.
Google PubSub and Google Bigtable should be authenticated using the GOOGLE_APPLICATION_CREDENTIALS environment variable,
or use the provided CredentialsProvider when instantiating their objects.
Using Google Cloud services emulators
If you plan to use one of the Google Cloud services emulators (for running on localhost, or for testing purpose), on a non-authenticated environment,
you’ll need to mock the Google Cloud authentication credentials, and optionally the CredentialsProvider if you’re using it (otherwise it will be removed by Quarkus CDI engine).
For testing, this can be done by creating a CDI producer that will produce a mocked bean (with Quarkus mock support and Mockito)
to replace the Credentials and the CredentialsProvider beans.
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Default;
import javax.enterprise.inject.Produces;
import javax.inject.Singleton;
import com.google.api.gax.core.CredentialsProvider;
import com.google.api.gax.core.NoCredentialsProvider;
import com.google.auth.Credentials;
import com.google.cloud.NoCredentials;
import io.quarkus.test.Mock;
@Mock
@ApplicationScoped
public class GoogleCredentialsMockProducer {
@Produces
@Singleton
@Default
public Credentials googleCredential() {
return NoCredentials.getInstance();
}
// only needed if you're injecting it inside one of your CDI beans
@Produces
@Singleton
@Default
public CredentialsProvider credentialsProvider() {
return NoCredentialsProvider.create();
}
}Configuration Reference
Configuration property fixed at build time - All other configuration properties are overridable at runtime
Configuration property |
Type |
Default |
|---|---|---|
Enable or disable metadata server access to retrieve configuration options (projectId, region…). Environment variable: |
boolean |
|
Google Cloud project ID. It defaults to Environment variable: |
string |
|
Google Cloud service account file location. Environment variable: |
string |
|
Google Cloud service account base64 encoded content. Environment variable: |
string |
|
Enable Google Cloud access token authentication For example, the access token which is returned as part of OpenId Connect Authorization Code Flow may be used to access Google Cloud services on behalf of the authenticated user. Note that if a service account location is configured then the access token will be ignored even if this property is enabled. Disable this property if the default Google Cloud authentication is required. Environment variable: |
boolean |
|
Whether to enable the secret manager Environment variable: |
boolean |
|
Example applications
Example applications can be found inside the integration-test folder of the GitHub repository:
-
main: RESTEasy endpoints using all the Google Cloud Services extensions, to be deployed as a standalone JAR.
-
google-cloud-functions: A Google Cloud HTTP function using Google Cloud Storage.
-
app-engine: A RESTEasy endpoint using Google Cloud Storage, to be deployed inside Google App Engine.
-
firebase-admin: RESTEasy endpoints using Firebase Admin SDK features, such as user management.