SignedJwtAssertionCredentials doesn't work on the App Engine

[GoogleCodeExporter]

when importing SignedJwtAssertionCredentials (from oauth2client.client import 
SignedJwtAssertionCredentials)we get an error back: ImportError: cannot import 
name SignedJwtAssertionCredentials.

I tried to upload a local version of the package but I get the same error.

Original issue reported on code.google.com by erlichmen on 3 May 2012 at 5:41

[GoogleCodeExporter]

Yes, this is a known issue, the crypto library that is included with App Engine 
can't read PKCS12 files. I might have a work-around in the future but it would 
require a whole new type of Credentials. 

Leaving this as an open bug to update the documentation to note the App Engine 
case.

Original comment by jcgregorio@google.com on 3 May 2012 at 3:22

[GoogleCodeExporter]

How am I suppose to use service accounts (which are generated by the 
devconsole) in the app engine? Is there any other way?

Original comment by erlichmen on 3 May 2012 at 4:35

[GoogleCodeExporter]

So there's no way to do Server-Server OAuth authentication for services like 
BigQuery from Google AppEngine? Is that what I gather?

Original comment by thinkj...@gmail.com on 7 May 2012 at 8:01

[GoogleCodeExporter]

Can you add the user account associated with the App Engine application to the 
team associated with your BigQuery project in the Dev Console?

That is, each App Engine application has an account associated with it, found 
on the Application Settings page under Service Account Name. It should be 
something like:
app-name@appspot.gserviceaccount.com

Can you add that email address to the list of team members on the Teams page 
for the project on the Dev Console https://code.google.com/apis/console ?

If that works then you should be able to use AppAssertionCredentials to access 
the BigQuery api:

 http://google-api-python-client.googlecode.com/hg/docs/oauth2client.appengine.html#AppAssertionCredentials

Original comment by jcgregorio@google.com on 8 May 2012 at 1:19

[GoogleCodeExporter]

I actually tried using AppAssertionCredentials to access the Google APIs using 
the AppEngine service account a month ago and stumble into those pitfall:
1. It doesn't work in the AppEngine DevServer, you have to test it on 
production server.
2. You need to add the AppEngine service account as a team member in the dev 
console, 
   but since our projects were created under Google App Domain they can't be added directly (only domain accounts can be added if you open the project under domain account).
   Since then I learn that you need to add them into a domain group and add the domain
3. OAuth1 was working for me back then.

I will give AppAssertionCredentials anther try and let you know how it goes.

Original comment by erlichmen on 8 May 2012 at 8:08

[GoogleCodeExporter]

AppAssertionCredentials worked perfectly for our needs, with the caveat that it 
doesn't work on the development server. I'll post the code here for posterity:

import httplib2
from google.appengine.api import memcache
from apiclient.discovery import build
from oauth2client.appengine import AppAssertionCredentials
import settings # our settings file

credentials = AppAssertionCredentials(
    scope='https://www.googleapis.com/auth/bigquery')
http = credentials.authorize(httplib2.Http(memcache))
service = build("bigquery", "v2", http=http)

job_runner = service.jobs()
results = job_runner.query(body={ "query": 'YOUR QUERY HERE' }, 
projectId=settings.PROJECT_ID).execute()

Original comment by thinkj...@gmail.com on 9 May 2012 at 2:50

[GoogleCodeExporter]

Original comment by jcgregorio@google.com on 6 Jun 2012 at 2:43

• Changed state: Accepted

[GoogleCodeExporter]

Hi,

I hate to cross post, but I've filed a bug in googleappengine to bump the 
version of PyCrypto to 2.6:
http://code.google.com/p/googleappengine/issues/detail?id=7884

This will allow my code (which implements JWT Signing in PyCrypto 2.6+) to 
potentially work in AppEngine.

I've posted the code on GitHub, and it works locally.  In the mean time, it's a 
great solution for systems that might not have OpenSSL for one reason or 
another.

https://github.com/richieforeman/google-api-python-client-pycryptojwt

Original comment by richie.f...@gmail.com on 22 Jul 2012 at 9:50

[GoogleCodeExporter]

I've wrapped the comments above into a working example with documentation, here:
http://code.google.com/p/mlab-metrics-api-server/source/browse/examples/app_asse
rtion_credentials/

Original comment by dylan.cu...@gmail.com on 23 Jul 2012 at 9:50

[GoogleCodeExporter]

If AppAssertionCredentials is the preferred method of doing server-server OAuth 
flows, is there a way to make this work with the AppEngine development server?

Original comment by thinkj...@gmail.com on 17 Aug 2012 at 6:56

[GoogleCodeExporter]

"""If AppAssertionCredentials is the preferred method of doing server-server 
OAuth flows, is there a way to make this work with the AppEngine development 
server?"""

You could use this command-line tool to get a refresh token:

  http://codereview.appspot.com/5362041/

And then when you are running on the dev server you could use the credentials 
stored in the file instead of using the AppAssertionCredentials:

  storage = Storage('cmd-line.dat')
  credentials = storage.get()

Original comment by jcgregorio@google.com on 20 Aug 2012 at 2:28

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Fixed in 
https://code.google.com/p/google-api-python-client/source/detail?r=b4888423b1d3b
890ed8300469232f8a3ed133bf6

Added PEM support.

Original comment by jcgregorio@google.com on 24 Jan 2013 at 8:55

• Changed state: Fixed

[GoogleCodeExporter]

FYI

I think the link for 'Added PEM support' is actually.

https://code.google.com/p/google-api-python-client/source/detail?spec=svn9d5f47c
c7ec138ca5eec114071f61e9733a14514&r=5c952c4cea9f9d4b624107b943b30fc6ada269f6

Original comment by tim.emi...@gmail.com on 10 Feb 2013 at 3:04

[GoogleCodeExporter]

Importing SignedJwtAssertionCredentials is still throwing an error.

Is there anywhere a step-by-step guide how I can test Google API from appengine 
dev server?

Frankly  I got lost.

Original comment by alexande...@gmail.com on 18 May 2013 at 9:50

[GoogleCodeExporter]

Not sure exactly what problems you are having, a stack trace of the error you 
are receiving would be helpful. But, one issue may be that you need to turn on 
PyCrypto support on for your application:

  http://google-api-python-client.googlecode.com/hg/docs/epy/oauth2client.client.SignedJwtAssertionCredentials-class.html

  https://developers.google.com/appengine/docs/python/tools/libraries27

Make sure it is PyCrypto 2.6 or later.

Original comment by jcgregorio@google.com on 19 May 2013 at 2:17

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hi,

practical question: I see this issue is marked 'fixed' on Jan 24th. I'm using 
the Drive API in a GAE project with a service account, and so I need this fix, 
but in the download page, the package "google-api-python-client-gae-1.0.zip" is 
dated Sep 2012.

How can I obtain the fix? Can I patch the google-api-python-client that I have 
installed in my project? When will a new package be created?

Fyi, I have activated pycrypto in app.yaml and I get the error on this code:

from oauth2client.client import SignedJwtAssertionCredentials
f = file(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'rb')
key = f.read()
f.close()
credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key, 
scope=OAUTH_SCOPE)
http = httplib2.Http()
http = credentials.authorize(http)
return build('drive', 'v2', http=http)

This is the stack trace:

  File "C:\Program Files (x86)\Google\google_appengine\google\appengine\tools\dev_appserver_import_hook.py", line 692, in Decorate
    return func(self, *args, **kwargs)
  File "C:\Program Files (x86)\Google\google_appengine\google\appengine\tools\dev_appserver_import_hook.py", line 1766, in load_module
    return self.FindAndLoadModule(submodule, fullname, search_path)
  File "C:\Program Files (x86)\Google\google_appengine\google\appengine\tools\dev_appserver_import_hook.py", line 692, in Decorate
    return func(self, *args, **kwargs)
  File "C:\Program Files (x86)\Google\google_appengine\google\appengine\tools\dev_appserver_import_hook.py", line 1630, in FindAndLoadModule
    description)
  File "C:\Program Files (x86)\Google\google_appengine\google\appengine\tools\dev_appserver_import_hook.py", line 692, in Decorate
    return func(self, *args, **kwargs)
  File "C:\Program Files (x86)\Google\google_appengine\google\appengine\tools\dev_appserver_import_hook.py", line 1577, in LoadModuleRestricted
    description)
  File "C:\Users\vic\Dropbox\Development\Eclipse-juno-workspace\Missale\src\drive.py", line 6, in <module>
    from oauth2client.client import SignedJwtAssertionCredentials
ImportStringError: import_string() failed for 'illustrations.SyncHandler'. 
Possible reasons are:

- missing __init__.py in a package;
- package or module path not included in sys.path;
- duplicated package or module name taking precedence in sys.path;
- missing module, class, function or variable;

Original exception:

ImportError: cannot import name SignedJwtAssertionCredentials

Original comment by vicmorte...@gmail.com on 17 Jun 2013 at 12:58

[GoogleCodeExporter]

Use google-api-python-client-gae-1.1.zip

https://code.google.com/p/google-api-python-client/downloads/detail?name=google-
api-python-client-gae-1.1.zip

Original comment by dhermes@google.com on 17 Jun 2013 at 2:50

[GoogleCodeExporter]

just leaving a note on how I think I'm now getting on with running my python 
GAE app locally using a service account with private key credentials. I've 
converted the .p12 private key file to .pem format using openssl (openssl 
pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem). I deleted the four 
first lines in the .pem file, because it must start with "-----BEGIN". I 
installed a precompiled pycrypto library 
(http://www.voidspace.org.uk/python/modules.shtml#pycrypto)(not sure if this is 
needed).

Original comment by vicmorte...@gmail.com on 22 Jun 2013 at 3:26

[GoogleCodeExporter]

Another note that may be relevant. Whether I use 'dev_appserver.py' or 
'old_dev_appserver.py'  seems to  have an impact on the 
SignedJwtAssertionCredentials  import problem. Using 'dev_appserver.py', I do 
not have the import problem (but no breakpoints), and using 
'old_dev_appserver.py', I can reproduce the import problem. So the 
'old_dev_appserver.py' may have been part of the problem all along!

Original comment by vicmorte...@gmail.com on 22 Jun 2013 at 5:07

[GoogleCodeExporter]

Thank you, vicmorte!  You are a life-saver! Converting the PKCS12 file into PEM 
and removing the four first lines helped, pycrypto has accepted it and 
authorization is working.

Original comment by a...@hatzis.de on 5 Dec 2014 at 5:32